Graham Dumpleton
graham.dumpleton at gmail.com
Sun Sep 23 21:32:40 EDT 2007
On 24/09/2007, Arnar Birgisson <arnarbi at gmail.com> wrote: > Hello there, > > I'm having some trouble finding the right docs/examples to solve my problem. > > What I want to do is to use a database (a Django model) to control > access to svn and trac (let's just focus on svn to begin with). > > My urls are of the form http://svn.domain.tld/projectname/. In the db > I have an entry for each project, and on it a boolean field indicating > if the project should be public-readable or not. > > How can I leave it up to the authen- or authzhandler to decide when > username/passwd is required? Seems if I require anything a > login-dialog is popped up, even if the authenhandler never looks at > the username and just return apache.OK if the project is > public-readable. If I have no require lines, no authentication seems > to take place and everything is wide-open regardless of the > public-readable switch. > > >From [1] it seems the proper way with apache 2.2. is to provide both > an authen- and authzhandler, but I don't quite see how things should > work in my case. > > Ideally, I'd like my config to look something like this: > > SetEnv DJANGO_SETTINGS_MODULE projectadmin.settings > PythonHandlerModule projectadmin.authenhandler > Require project-access svn_read > <LimitExcept GET PROPFIND OPTIONS REPORT> > Require project-access svn_write > </LimitExcept> > > Making it work sanely with other auth- or authz handlers is no issue for me. > > Arnar > > [1] http://www.modpython.org/pipermail/mod_python/2007-July/024055.html Does it have to be configurable from Apache configuration, could you just do it all in the Python script? What we do to prevent people performing updates against tag directories in subversion is: <Location /svn> DAV svn SVNParentPath /usr/local/repository/subversion ..... PythonInterpreter subversion_handlers PythonPath 'sys.path + ["/usr/local/pkg/apps/subversion"]' PythonFixupHandler subversion_handlers::protect_tagged_packages </Location> In the Python code file, then have: from mod_python import apache import fnmatch # When access is to tagged packages, only allow read/only operations # and copy command. This means that tagged packages will be able to # be created, but will prevent files within a tagged package being # changed and committed back into the repository, replacing files in # the tagged version. RESTRICTED_URI = '/svn/drives/!svn/*/*/packages/tags/*/*/*' ALLOW_METHODS = [ 'OPTIONS', 'GET', 'PROPFIND', 'REPORT', 'COPY' ] def protect_tagged_packages(req): if fnmatch.fnmatch(req.uri, RESTRICTED_URI): if req.method in ALLOW_METHODS: return apache.OK return apache.HTTP_FORBIDDEN return apache.OK The only thing thus permitted on a tag directory is deleting it and renaming it. Keep these for where people stuff up. So, we don't even use auth/authz for this bit, but just use a fixup handler. Graham
|