On Wednesday, April 13, 2016 at 4:44:58 PM UTC-4, RjOllos wrote: > > > > On Monday, April 11, 2016 at 8:03:19 AM UTC-7, Mary Loftis wrote: >> >> I am having an issue with TRAC not adhering to the Subversion access >> control permissions. >> >> >> >> Platform/Authentication Info >> >> OS: Windows Server 2008 R2 Standard SP1 (64 bit) >> >> Service: CollabNet Subversion Apache 2.2.23 (win32) >> >> Service: CollabNet Subversion Client svnserver v1.7.8 >> >> Client App: Tortoise SVN v1.8.11.26382 (64 bit) >> >> Authentication: Apache using SSPI >> >> >> >> =============================== >> >> In the httpd.conf file: >> >> >> >> # Among other load modules used are the following: >> >> LoadModule authn_default_module modules/mod_authn_default.so >> >> LoadModule authn_file_module modules/mod_authn_file.so >> >> LoadModule authz_default_module modules/mod_authz_default.so >> >> LoadModule authz_groupfile_module modules/mod_authz_groupfile.so >> >> LoadModule authz_host_module modules/mod_authz_host.so >> >> LoadModule authz_user_module modules/mod_authz_user.so >> >> LoadModule sspi_auth_module modules/mod_auth_sspi.so >> >> LoadModule authz_svn_module modules/mod_authz_svn.so >> >> >> >> <Location /svn/> >> >> DAV svn >> >> SVNParentPath e:/svn_repository >> >> SVNIndexXSLT /manual/style/xsl/svnindex.xsl >> >> AuthType SSPI >> >> SSPIAuth On >> >> SSPIOfferSSPI Off >> >> SSPIAuthoritative On >> >> SSPIDomain <domaincontroller> >> >> # Specify domain\userid in .svnaccess file so set SSPIOmitDomain to >> off. >> >> SSPIOmitDomain Off >> >> SSPIUsernameCase lower >> >> SSPIPerRequestAuth On >> >> SSPIOfferBasic On >> >> AuthName " Subversion Login (Use domain\userid format)" >> >> # Specify which users are allowed to access which svn projects >> >> AuthzSVNAccessFile "E:/etc/.svnaccess" >> >> Require valid-user >> >> </Location> >> >> >> >> <Location /trac> >> >> SVNParentPath e:/svn_repository >> >> AuthzSVNAccessFile "E:/etc/.svnaccess" >> >> >> >> SetHandler mod_python >> >> PythonHandler trac.web.modpython_frontend >> >> PythonOption TracEnvParentDir e:\trac >> >> # Location and TracUriRoot have the same path >> >> # TracUriRoot may or may not be necessary in your setup. >> >> PythonOption TracUriRoot /trac >> >> >> >> AuthType SSPI >> >> SSPIAuth On >> >> SSPIOfferSSPI Off >> >> SSPIAuthoritative On >> >> SSPIDomain <domaincontroller> >> >> SSPIOmitDomain Off >> >> SSPIUsernameCase lower >> >> SSPIPerRequestAuth On >> >> SSPIOfferBasic On >> >> AuthName "TRAC Login (Use domain\userid format)" >> >> Require valid-user >> >> </Location> >> >> >> >> <Location /trac/login> >> >> AuthType SSPI >> >> AuthName "Trac Login" >> >> SSPIAuth On >> >> SSPIAuthoritative On >> >> SSPIDomain MyLocalDomain >> >> SSPIOfferBasic On >> >> SSPIOmitDomain Off >> >> SSPIBasicPreferred On >> >> Require valid-user >> >> </Location> >> >> >> >> #Include e:/etc/subversion.conf >> >> >> >> =============================== >> >> In the e:/etc/subversion.conf file: >> >> >> >> <Location /ARES> >> >> DAV svn >> >> SVNPath E:/svn_repository/ARES >> >> AuthType Basic >> >> AuthName "Subversion ARES repository" >> >> Require valid-user >> >> ErrorDocument 404 default >> >> </Location> >> >> >> >> >> >> Svn repo for which a TRAC project has been created is >> E:\svn_repository\ARES. >> >> >> >> On the server, E:\svn_repository\ARES contains the following folders: >> >> Conf >> >> Dav >> >> Db >> >> Hooks >> >> Locks >> >> >> >> And the following files: >> >> >> >> Format >> >> Readme.txt >> >> >> >> =============================== >> >> >> >> In the svn access control file, e:\etc\.svnaccess, is: >> >> >> >> # Groups are defined. >> >> [groups] >> >> admin = domain\beth, domain\eric >> >> ARES_team = domain\beth, domain\eric, domain\greg, domain\joseph >> >> >> >> # Access to the top-level / directory is only for the admin group. >> >> [/] >> >> @admin = rw >> >> >> >> # Access to the ARES folder is forbidden for all. >> >> [ARES:/] >> >> * = >> >> >> >> # Access to subfolders under the ARES area is allowed. >> >> [ARES:/ComponentLibrary] >> >> @ARES_team = rw >> >> >> >> =============================== >> >> >> >> Access to the repositories works as it should for all users when using >> TortoiseSVN. Only admins have access to the slash repo. No one can access >> the ARES repo. Members of the ARES_team can access the >> ARES/ComponentLibrary repo. >> >> >> >> We want a TRAC project which points to the ARES/ComponentLibrary area. >> The following TRAC project is set up associated with the svn repo: >> >> >> >> [components] >> >> tracopt.versioncontrol.svn.* = enabled >> >> tracstats.* = enabled >> >> trac.versioncontrol.api.repositorymanager = enabled >> >> trac.versioncontrol.svn_authz.svnauthzoptions = enabled >> >> >> >> # This is an optional 'project root' >> >> [stats] >> >> root = e:\svn_repository\ARES\ComponentLibrary >> >> >> >> [repositories] >> >> # >> >> # It should be noted that the path below doesn’t actually exist. >> >> # There is no ComponentLibrary subfolder on the server, but it is >> >> # accessible from the TortoiseSVN repo browser at >> >> # https://<myserver>/ARES/ComponentLibrary. >> # >> >> ARES_ComponentLibrary.dir = e:\svn_repository\ARES\ComponentLibrary >> >> ARES_ComponentLibrary.description = This is the 'ARES Component Library' >> project repository. >> >> ARES_ComponentLibrary.type = svn >> >> ARES_ComponentLibrary.url = https://<myserver>/svn/ARES/ComponentLibrary >> >> ARES_ComponentLibrary.hidden = true >> >> tsvn = tsvn: Interact with TortoiseSvn >> >> >> >> [trac] >> >> authz_file = E:\etc\.svnaccess >> >> authz_module_name = ARES >> >> permission_policies = AuthzSourcePolicy, DefaultPermissionPolicy, >> LegacyAttachmentPolicy >> >> permission_store = DefaultPermissionStore >> >> # >> >> # It should be noted that the path below doesn’t actually exist. >> >> # There is no ComponentLibrary subfolder on the server, but it is >> >> # accessible from the TortoiseSVN repo browser at >> >> # https://<myserver>/ARES/ComponentLibrary. >> # >> >> repository_dir = e:\svn_repository\ARES\ComponentLibrary >> >> repository_sync_per_request = (default) >> >> repository_type = svn >> >> >> >> TRAC does not seem to follow the svn access controls. Users can only >> access the TRAC repository associated with ARES/ComponentLibrary if their >> userids are in the admin group. In this case, greg and joseph cannot access >> the ARES/ComponentLibrary TRAC project, even though they are in the >> ARES_team group which is allowed to access it. (They can access it fine >> through TortoiseSVN.) >> >> >> >> If I add greg and joseph to the admin group, then they can access the >> TRAC ARES/ComponentLibrary project. This is not how the authorization >> should work. The behavior should be the same that subversion uses. >> >> >> >> Am I missing a setting or have a setting wrong? Thanks in advance. >> > > If you enable logging you should get some messages about users being > granted or denied access: > > https://trac.edgewall.org/wiki/TracFineGrainedPermissions#Debuggingpermissions > > There might be an inconsistency in the order of rule matching, similar to > the issue discussed here: > https://trac.edgewall.org/ticket/11744 > > - Ryan > > I did see that post earlier and already incorporated the changes to svn_authz.py. It did not help.
-Beth -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/trac-users. For more options, visit https://groups.google.com/d/optout.
