On Monday, April 11, 2016 at 11:03:19 AM UTC-4, Mary Loftis wrote:
>
> I am having an issue with TRAC not adhering to the Subversion access
> control permissions.
>
>
>
> Platform/Authentication Info
>
> OS: Windows Server 2008 R2 Standard SP1 (64 bit)
>
> Service: CollabNet Subversion Apache 2.2.23 (win32)
>
> Service: CollabNet Subversion Client svnserver v1.7.8
>
> Client App: Tortoise SVN v1.8.11.26382 (64 bit)
>
> Authentication: Apache using SSPI
>
TRAC 1.0.9 Win32 for Python
>
>
> ===============================
>
> In the httpd.conf file:
>
>
>
> # Among other load modules used are the following:
>
> LoadModule authn_default_module modules/mod_authn_default.so
>
> LoadModule authn_file_module modules/mod_authn_file.so
>
> LoadModule authz_default_module modules/mod_authz_default.so
>
> LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
>
> LoadModule authz_host_module modules/mod_authz_host.so
>
> LoadModule authz_user_module modules/mod_authz_user.so
>
> LoadModule sspi_auth_module modules/mod_auth_sspi.so
>
> LoadModule authz_svn_module modules/mod_authz_svn.so
>
>
>
> <Location /svn/>
>
> DAV svn
>
> SVNParentPath e:/svn_repository
>
> SVNIndexXSLT /manual/style/xsl/svnindex.xsl
>
> AuthType SSPI
>
> SSPIAuth On
>
> SSPIOfferSSPI Off
>
> SSPIAuthoritative On
>
> SSPIDomain <domaincontroller>
>
> # Specify domain\userid in .svnaccess file so set SSPIOmitDomain to off.
>
> SSPIOmitDomain Off
>
> SSPIUsernameCase lower
>
> SSPIPerRequestAuth On
>
> SSPIOfferBasic On
>
> AuthName " Subversion Login (Use domain\userid format)"
>
> # Specify which users are allowed to access which svn projects
>
> AuthzSVNAccessFile "E:/etc/.svnaccess"
>
> Require valid-user
>
> </Location>
>
>
>
> <Location /trac>
>
> SVNParentPath e:/svn_repository
>
> AuthzSVNAccessFile "E:/etc/.svnaccess"
>
>
>
> SetHandler mod_python
>
> PythonHandler trac.web.modpython_frontend
>
> PythonOption TracEnvParentDir e:\trac
>
> # Location and TracUriRoot have the same path
>
> # TracUriRoot may or may not be necessary in your setup.
>
> PythonOption TracUriRoot /trac
>
>
>
> AuthType SSPI
>
> SSPIAuth On
>
> SSPIOfferSSPI Off
>
> SSPIAuthoritative On
>
> SSPIDomain <domaincontroller>
>
> SSPIOmitDomain Off
>
> SSPIUsernameCase lower
>
> SSPIPerRequestAuth On
>
> SSPIOfferBasic On
>
> AuthName "TRAC Login (Use domain\userid format)"
>
> Require valid-user
>
> </Location>
>
>
>
> <Location /trac/login>
>
> AuthType SSPI
>
> AuthName "Trac Login"
>
> SSPIAuth On
>
> SSPIAuthoritative On
>
> SSPIDomain MyLocalDomain
>
> SSPIOfferBasic On
>
> SSPIOmitDomain Off
>
> SSPIBasicPreferred On
>
> Require valid-user
>
> </Location>
>
>
>
> #Include e:/etc/subversion.conf
>
>
>
> ===============================
>
> In the e:/etc/subversion.conf file:
>
>
>
> <Location /ARES>
>
> DAV svn
>
> SVNPath E:/svn_repository/ARES
>
> AuthType Basic
>
> AuthName "Subversion ARES repository"
>
> Require valid-user
>
> ErrorDocument 404 default
>
> </Location>
>
>
>
>
>
> Svn repo for which a TRAC project has been created is
> E:\svn_repository\ARES.
>
>
>
> On the server, E:\svn_repository\ARES contains the following folders:
>
> Conf
>
> Dav
>
> Db
>
> Hooks
>
> Locks
>
>
>
> And the following files:
>
>
>
> Format
>
> Readme.txt
>
>
>
> ===============================
>
>
>
> In the svn access control file, e:\etc\.svnaccess, is:
>
>
>
> # Groups are defined.
>
> [groups]
>
> admin = domain\beth, domain\eric
>
> ARES_team = domain\beth, domain\eric, domain\greg, domain\joseph
>
>
>
> # Access to the top-level / directory is only for the admin group.
>
> [/]
>
> @admin = rw
>
>
>
> # Access to the ARES folder is forbidden for all.
>
> [ARES:/]
>
> * =
>
>
>
> # Access to subfolders under the ARES area is allowed.
>
> [ARES:/ComponentLibrary]
>
> @ARES_team = rw
>
>
>
> ===============================
>
>
>
> Access to the repositories works as it should for all users when using
> TortoiseSVN. Only admins have access to the slash repo. No one can access
> the ARES repo. Members of the ARES_team can access the
> ARES/ComponentLibrary repo.
>
>
>
> We want a TRAC project which points to the ARES/ComponentLibrary area. The
> following TRAC project is set up associated with the svn repo:
>
>
>
> [components]
>
> tracopt.versioncontrol.svn.* = enabled
>
> tracstats.* = enabled
>
> trac.versioncontrol.api.repositorymanager = enabled
>
> trac.versioncontrol.svn_authz.svnauthzoptions = enabled
>
>
>
> # This is an optional 'project root'
>
> [stats]
>
> root = e:\svn_repository\ARES\ComponentLibrary
>
>
>
> [repositories]
>
> #
>
> # It should be noted that the path below doesn’t actually exist.
>
> # There is no ComponentLibrary subfolder on the server, but it is
>
> # accessible from the TortoiseSVN repo browser at
>
> # https://<myserver>/ARES/ComponentLibrary.
> #
>
> ARES_ComponentLibrary.dir = e:\svn_repository\ARES\ComponentLibrary
>
> ARES_ComponentLibrary.description = This is the 'ARES Component Library'
> project repository.
>
> ARES_ComponentLibrary.type = svn
>
> ARES_ComponentLibrary.url = https://<myserver>/svn/ARES/ComponentLibrary
>
> ARES_ComponentLibrary.hidden = true
>
> tsvn = tsvn: Interact with TortoiseSvn
>
>
>
> [trac]
>
> authz_file = E:\etc\.svnaccess
>
> authz_module_name = ARES
>
> permission_policies = AuthzSourcePolicy, DefaultPermissionPolicy,
> LegacyAttachmentPolicy
>
> permission_store = DefaultPermissionStore
>
> #
>
> # It should be noted that the path below doesn’t actually exist.
>
> # There is no ComponentLibrary subfolder on the server, but it is
>
> # accessible from the TortoiseSVN repo browser at
>
> # https://<myserver>/ARES/ComponentLibrary.
> #
>
> repository_dir = e:\svn_repository\ARES\ComponentLibrary
>
> repository_sync_per_request = (default)
>
> repository_type = svn
>
>
>
> TRAC does not seem to follow the svn access controls. Users can only
> access the TRAC repository associated with ARES/ComponentLibrary if their
> userids are in the admin group. In this case, greg and joseph cannot access
> the ARES/ComponentLibrary TRAC project, even though they are in the
> ARES_team group which is allowed to access it. (They can access it fine
> through TortoiseSVN.)
>
>
>
> If I add greg and joseph to the admin group, then they can access the TRAC
> ARES/ComponentLibrary project. This is not how the authorization should
> work. The behavior should be the same that subversion uses.
>
>
>
> Am I missing a setting or have a setting wrong? Thanks in advance.
>
--
You received this message because you are subscribed to the Google Groups "Trac
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/trac-users.
For more options, visit https://groups.google.com/d/optout.
