Platform: Windows Server 2008 R2
Apache 2.2.23 (win32)/SSL 1.0.0j upgrading to Apache 2.4.23 (win32)/SSL
1.0.2h
CollabNet Subversion Client SVNServe 1.7.8
Trac 1.0.9 (win32)
Python 2.7.1
On a Windows server, I had Subversion and Trac interacting nicely when
running Apache 2.2.23, Subversion 1.7.8 with Trac 1.0.9 and the mod_python
module. Access to Trac projects was permitted based on access control
groups defined in the subversion access control file. The setting of the
AuthzSVNAccessFile variable in the httpd.conf file pointed to the
subversion access control file, e:/etc/.svnaccess. If the user had access
to a subversion repo, then they had access to the associated Trac project,
otherwise access was denied.
The httpd.conf file contained the following:
<Location /trac>
SVNParentPath e:/svn_repository
AuthzSVNAccessFile "E:/etc/.svnaccess"
SetHandler mod_python
PythonHandler trac.web.modpython_frontend
PythonOption TracEnvParentDir e:\trac
PythonOption TracUriRoot /trac
AuthType SSPI
SSPIAuth On
SSPIOfferSSPI Off
SSPIAuthoritative On
SSPIDomain <domaincontroller>
SSPIOmitDomain Off
SSPIUsernameCase lower
SSPIPerRequestAuth On
SSPIOfferBasic On
AuthName "UTAS TRAC Login (Use domain\userid format)"
Require valid-user
</Location>
I then had to upgrade Apache/SSL to 2.4.23, 1.0.2h. With this upgrade,
mod_python was obsoleted so I had to switch to use mod_wsgi load module. I
added in the mod_wsgi.so load module and modified the config file to remove
the Python-related settings (keeping the AuthzSVNAccessFile setting), and
adding in mod_wsgi info.
After the Apache upgrade, the httpd.conf file contained:
<Location /trac>
SVNParentPath e:/svn_repository
AuthzSVNAccessFile "E:/etc/.svnaccess"
AuthType SSPI
SSPIAuth On
SSPIOfferSSPI Off
SSPIAuthoritative On
SSPIDomain <domaincontroller>
SSPIOmitDomain Off
SSPIUsernameCase lower
SSPIPerRequestAuth On
SSPIOfferBasic On
AuthName "UTAS TRAC Login (Use domain\userid format)"
Require valid-user
</Location>
WSGIScriptAlias /trac e:/trac/trac.wsgi
<Directory "e:/trac">
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
</Directory>
The e:/trac.wsgi has the following in it:
import os
import trac.web.main
import site
site.addsitedir('e:\Python\Lib\site-packages')
os.environ['PYTHON_EGG_CACHE'] = r'c:\Trac-Python-Egg-Cache'
def application(environ, start_response):
environ['trac.env_parent_dir'] = r'e:\trac'
return trac.web.main.dispatch_request(environ, start_response)
The trac.ini file (for Beth_test project) has these critical sections, same
as before the Apache upgrade:
[components]
tracopt.versioncontrol.svn.* = enabled
tracstats.* = enabled
[repositories]
Beth_test.dir = e:\svn_repository\Beth_test
Beth_test.description = This is the ‘Beth_test’ project repository on the
Test svn server.
Beth_test.type = svn
Beth_test.url = https://<my_server>/svn/Beth_test
Beth_test.hidden = true
tsvn = tsvn: Interact with TortoiseSvn
[trac]
authz_file = E:\etc\.svnaccess
permission_policies = AuthzSourcePolicy, DefaultPermissionPolicy,
LegacyAttachmentPolicy
permission_store = DefaultPermissionStore
repository_dir = e:\svn_repository\Beth_test
repository_type = svn
…plus a bunch of other settings
My directory structure on the server is:
E:\svn_repository\
Beth_test
SVN_test
E:\trac\
Beth_test
SVN_test
When I bring up the Trac url after entering my active directory
credentials, I see the 2 Trac projects listed. However when I click on a
project, it gives me access to it even though I have not added my id to the
access control group associated with the subversion Beth_test repo. With
TortoiseSVN I am properly blocked, but with Trac using the mod_wsgi module,
I can (erroneously) access the Trac project and subsequently browse the
subversion source.
There is nothing useful in the Apache or Trac log files.
Any idea why Trac no longer follows the subversion access control
permissions after upgrading Apache and switching from mod_python to
mod_wsgi?
--
You received this message because you are subscribed to the Google Groups "Trac
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/trac-users.
For more options, visit https://groups.google.com/d/optout.
