[mod_python] Using mod_python to customise subversion repository access.

Deron Meranda deron.meranda at gmail.com
Fri Sep 1 01:39:56 EDT 2006 

On 9/1/06, Graham Dumpleton <grahamd at dscpl.com.au> wrote:
> In my real job, we are finally converting to using subversion. Now
> although subversion when used through Apache still supports a
> level of user authorisation,
>  ... you can't use its authorisation mechanism to implement
>  a fine grained level of authorisation.
> ...
> So, mod_python to the rescue.

Its nice to see somebody else's approach to this too.  I've
done something similar for my subversion respository about
three weeks ago.  Only I'm driving the whole thing through
a set of MySQL tables which contain all the access rules.

>   from mod_python import apache
>   import fnmatch

The fnmatch module is a neat shortcut; I always keep
forgetting about that one.  I tend to do the regexes
the hard(er) way.

>   BLOCK_URI = '/svn/drives/!svn/*/*/packages/tags/*/*/*'
>
>   BLOCK_METHOD = [ 'MKCOL', 'PUT', 'PROPPATCH', 'CHECKOUT',
>           'MERGE', 'MKACTIVITY', 'LOCK', 'UNLOCK' ]
>
>   def authzhandler(req):
>       if fnmatch.fnmatch(req.uri, BLOCK_URI):
>           if req.method in BLOCK_METHOD:
>               return apache.HTTP_FORBIDDEN
>       return apache.OK

I like to reverse this logic and list those methods I want
to allow instead of those to block.  There are so many
different methods (and more being invented by the
DAV working groups all the time), that I don't want
to leave one out.

The methods needed for complete read-only access are:
   ['GET','HEAD','OPTIONS','PROPFIND','REPORT']

As Graham noticed you can also choose to allow some others,
such as COPY, to give something in between a read-only and
full access.  It can get complicated though.

Another trick I use is setting the username which gets
written into the subversion changelogs (when doing
writes/commits).  I need to do this first off because I'm
using mod_python for full authentication and authorization,
instead of any of the Apache auth* modules.  Also I wanted
to be able to have subversion record the user's permanent
id number in addition to the username (which could in
theory change someday).  Well, the trick is really simple;
just assign into the req->user member whatever string
you want to appear in the subversion change logs.

Oh, another subversion+mod_python issue.  I actually
have my website itself stored in subversion, including
all my mod_python module files and so forth.  For
most of the website I use the http:... style URL for the
subversion client (svn) when keeping those files
up to date.

However for the smaller core set of files, including
my authentication module, I have it using the more
direct file:... URLs.  This is important in case your head
revision gets broken.  If you were using the http: urls,
then your subversion access woild also be broken
and you couldn't easily revert back your changes.
  --- And also, obviously, you should implement
careful access control on those parts of the subversion
repository which contain the security-critical portions
of your website.
-- 
Deron Meranda

More information about the Mod_python mailing list