I just tried accessing svn through TortoiseSVN and it is letting me access
the repo too. I shouldn't be allowed access to it. So I don't think it is
necessarily a trac problem but an Apache config problem. I'll have to do
some more investigation to figure out why it is letting me into the svn
repo. I thought I had been properly blocked by TortoiseSVN, but maybe I
confused my prod Apache server with my test (upgraded) Apache server. Back
to the drawing board.
On Tuesday, August 23, 2016 at 11:59:05 AM UTC-4, Mary Loftis wrote:
>
> Platform: Windows Server 2008 R2
> Apache 2.2.23 (win32)/SSL 1.0.0j upgrading to Apache 2.4.23 (win32)/SSL
> 1.0.2h
> CollabNet Subversion Client SVNServe 1.7.8
> Trac 1.0.9 (win32)
> Python 2.7.1
>
> On a Windows server, I had Subversion and Trac interacting nicely when
> running Apache 2.2.23, Subversion 1.7.8 with Trac 1.0.9 and the mod_python
> module. Access to Trac projects was permitted based on access control
> groups defined in the subversion access control file. The setting of the
> AuthzSVNAccessFile variable in the httpd.conf file pointed to the
> subversion access control file, e:/etc/.svnaccess. If the user had access
> to a subversion repo, then they had access to the associated Trac project,
> otherwise access was denied.
>
> The httpd.conf file contained the following:
>
> <Location /trac>
> SVNParentPath e:/svn_repository
> AuthzSVNAccessFile "E:/etc/.svnaccess"
> SetHandler mod_python
> PythonHandler trac.web.modpython_frontend
> PythonOption TracEnvParentDir e:\trac
> PythonOption TracUriRoot /trac
> AuthType SSPI
> SSPIAuth On
> SSPIOfferSSPI Off
> SSPIAuthoritative On
> SSPIDomain <domaincontroller>
> SSPIOmitDomain Off
> SSPIUsernameCase lower
> SSPIPerRequestAuth On
> SSPIOfferBasic On
> AuthName "UTAS TRAC Login (Use domain\userid format)"
> Require valid-user
> </Location>
>
> I then had to upgrade Apache/SSL to 2.4.23, 1.0.2h. With this upgrade,
> mod_python was obsoleted so I had to switch to use mod_wsgi load module. I
> added in the mod_wsgi.so load module and modified the config file to remove
> the Python-related settings (keeping the AuthzSVNAccessFile setting), and
> adding in mod_wsgi info.
>
> After the Apache upgrade, the httpd.conf file contained:
>
> <Location /trac>
> SVNParentPath e:/svn_repository
> AuthzSVNAccessFile "E:/etc/.svnaccess"
> AuthType SSPI
> SSPIAuth On
> SSPIOfferSSPI Off
> SSPIAuthoritative On
> SSPIDomain <domaincontroller>
> SSPIOmitDomain Off
> SSPIUsernameCase lower
> SSPIPerRequestAuth On
> SSPIOfferBasic On
> AuthName "UTAS TRAC Login (Use domain\userid format)"
> Require valid-user
> </Location>
>
> WSGIScriptAlias /trac e:/trac/trac.wsgi
>
> <Directory "e:/trac">
> WSGIApplicationGroup %{GLOBAL}
> Order deny,allow
> Allow from all
> </Directory>
>
>
> The e:/trac.wsgi has the following in it:
>
> import os
> import trac.web.main
> import site
>
> site.addsitedir('e:\Python\Lib\site-packages')
>
> os.environ['PYTHON_EGG_CACHE'] = r'c:\Trac-Python-Egg-Cache'
>
> def application(environ, start_response):
> environ['trac.env_parent_dir'] = r'e:\trac'
> return trac.web.main.dispatch_request(environ, start_response)
>
> The trac.ini file (for Beth_test project) has these critical sections,
> same as before the Apache upgrade:
>
> [components]
> tracopt.versioncontrol.svn.* = enabled
> tracstats.* = enabled
>
> [repositories]
> Beth_test.dir = e:\svn_repository\Beth_test
> Beth_test.description = This is the ‘Beth_test’ project repository on the
> Test svn server.
> Beth_test.type = svn
> Beth_test.url = https://<my_server>/svn/Beth_test
> Beth_test.hidden = true
> tsvn = tsvn: Interact with TortoiseSvn
>
> [trac]
> authz_file = E:\etc\.svnaccess
> permission_policies = AuthzSourcePolicy, DefaultPermissionPolicy,
> LegacyAttachmentPolicy
> permission_store = DefaultPermissionStore
> repository_dir = e:\svn_repository\Beth_test
> repository_type = svn
> …plus a bunch of other settings
>
>
> My directory structure on the server is:
>
>
> E:\svn_repository\
>
> Beth_test
>
> SVN_test
>
>
> E:\trac\
>
> Beth_test
>
> SVN_test
>
>
> When I bring up the Trac url after entering my active directory
> credentials, I see the 2 Trac projects listed. However when I click on a
> project, it gives me access to it even though I have not added my id to the
> access control group associated with the subversion Beth_test repo. With
> TortoiseSVN I am properly blocked, but with Trac using the mod_wsgi module,
> I can (erroneously) access the Trac project and subsequently browse the
> subversion source.
>
>
> There is nothing useful in the Apache or Trac log files.
>
>
> Any idea why Trac no longer follows the subversion access control
> permissions after upgrading Apache and switching from mod_python to
> mod_wsgi?
>
>
>
--
You received this message because you are subscribed to the Google Groups "Trac
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/trac-users.
For more options, visit https://groups.google.com/d/optout.
