I am having an issue with TRAC not adhering to the Subversion access
control permissions.
Platform/Authentication Info
OS: Windows Server 2008 R2 Standard SP1 (64 bit)
Service: CollabNet Subversion Apache 2.2.23 (win32)
Service: CollabNet Subversion Client svnserver v1.7.8
Client App: Tortoise SVN v1.8.11.26382 (64 bit)
Authentication: Apache using SSPI
===============================
In the httpd.conf file:
# Among other load modules used are the following:
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule sspi_auth_module modules/mod_auth_sspi.so
LoadModule authz_svn_module modules/mod_authz_svn.so
<Location /svn/>
DAV svn
SVNParentPath e:/svn_repository
SVNIndexXSLT /manual/style/xsl/svnindex.xsl
AuthType SSPI
SSPIAuth On
SSPIOfferSSPI Off
SSPIAuthoritative On
SSPIDomain <domaincontroller>
# Specify domain\userid in .svnaccess file so set SSPIOmitDomain to off.
SSPIOmitDomain Off
SSPIUsernameCase lower
SSPIPerRequestAuth On
SSPIOfferBasic On
AuthName " Subversion Login (Use domain\userid format)"
# Specify which users are allowed to access which svn projects
AuthzSVNAccessFile "E:/etc/.svnaccess"
Require valid-user
</Location>
<Location /trac>
SVNParentPath e:/svn_repository
AuthzSVNAccessFile "E:/etc/.svnaccess"
SetHandler mod_python
PythonHandler trac.web.modpython_frontend
PythonOption TracEnvParentDir e:\trac
# Location and TracUriRoot have the same path
# TracUriRoot may or may not be necessary in your setup.
PythonOption TracUriRoot /trac
AuthType SSPI
SSPIAuth On
SSPIOfferSSPI Off
SSPIAuthoritative On
SSPIDomain <domaincontroller>
SSPIOmitDomain Off
SSPIUsernameCase lower
SSPIPerRequestAuth On
SSPIOfferBasic On
AuthName "TRAC Login (Use domain\userid format)"
Require valid-user
</Location>
<Location /trac/login>
AuthType SSPI
AuthName "Trac Login"
SSPIAuth On
SSPIAuthoritative On
SSPIDomain MyLocalDomain
SSPIOfferBasic On
SSPIOmitDomain Off
SSPIBasicPreferred On
Require valid-user
</Location>
#Include e:/etc/subversion.conf
===============================
In the e:/etc/subversion.conf file:
<Location /ARES>
DAV svn
SVNPath E:/svn_repository/ARES
AuthType Basic
AuthName "Subversion ARES repository"
Require valid-user
ErrorDocument 404 default
</Location>
Svn repo for which a TRAC project has been created is
E:\svn_repository\ARES.
On the server, E:\svn_repository\ARES contains the following folders:
Conf
Dav
Db
Hooks
Locks
And the following files:
Format
Readme.txt
===============================
In the svn access control file, e:\etc\.svnaccess, is:
# Groups are defined.
[groups]
admin = domain\beth, domain\eric
ARES_team = domain\beth, domain\eric, domain\greg, domain\joseph
# Access to the top-level / directory is only for the admin group.
[/]
@admin = rw
# Access to the ARES folder is forbidden for all.
[ARES:/]
* =
# Access to subfolders under the ARES area is allowed.
[ARES:/ComponentLibrary]
@ARES_team = rw
===============================
Access to the repositories works as it should for all users when using
TortoiseSVN. Only admins have access to the slash repo. No one can access
the ARES repo. Members of the ARES_team can access the
ARES/ComponentLibrary repo.
We want a TRAC project which points to the ARES/ComponentLibrary area. The
following TRAC project is set up associated with the svn repo:
[components]
tracopt.versioncontrol.svn.* = enabled
tracstats.* = enabled
trac.versioncontrol.api.repositorymanager = enabled
trac.versioncontrol.svn_authz.svnauthzoptions = enabled
# This is an optional 'project root'
[stats]
root = e:\svn_repository\ARES\ComponentLibrary
[repositories]
#
# It should be noted that the path below doesn’t actually exist.
# There is no ComponentLibrary subfolder on the server, but it is
# accessible from the TortoiseSVN repo browser at
# https://<myserver>/ARES/ComponentLibrary.
#
ARES_ComponentLibrary.dir = e:\svn_repository\ARES\ComponentLibrary
ARES_ComponentLibrary.description = This is the 'ARES Component Library'
project repository.
ARES_ComponentLibrary.type = svn
ARES_ComponentLibrary.url = https://<myserver>/svn/ARES/ComponentLibrary
ARES_ComponentLibrary.hidden = true
tsvn = tsvn: Interact with TortoiseSvn
[trac]
authz_file = E:\etc\.svnaccess
authz_module_name = ARES
permission_policies = AuthzSourcePolicy, DefaultPermissionPolicy,
LegacyAttachmentPolicy
permission_store = DefaultPermissionStore
#
# It should be noted that the path below doesn’t actually exist.
# There is no ComponentLibrary subfolder on the server, but it is
# accessible from the TortoiseSVN repo browser at
# https://<myserver>/ARES/ComponentLibrary.
#
repository_dir = e:\svn_repository\ARES\ComponentLibrary
repository_sync_per_request = (default)
repository_type = svn
TRAC does not seem to follow the svn access controls. Users can only access
the TRAC repository associated with ARES/ComponentLibrary if their userids
are in the admin group. In this case, greg and joseph cannot access the
ARES/ComponentLibrary TRAC project, even though they are in the ARES_team
group which is allowed to access it. (They can access it fine through
TortoiseSVN.)
If I add greg and joseph to the admin group, then they can access the TRAC
ARES/ComponentLibrary project. This is not how the authorization should
work. The behavior should be the same that subversion uses.
Am I missing a setting or have a setting wrong? Thanks in advance.
--
You received this message because you are subscribed to the Google Groups "Trac
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/trac-users.
For more options, visit https://groups.google.com/d/optout.
