Context Navigation

+0
← Previous Version
View Latest Version
Next Version →

Version 1 (modified by Felix Collins, 18 years ago) ( diff )
Created page TracMultipleProjectsSVNAccess

How to control access to multiple projects using mod_authz_svn.so

This information applies to multiple project installs of Trac served through Apache. In principle the same information should apply to single project Tracs, but this hasn't been tested. The examples come from a Windows environment but I can't see why a similar setup would not work elsewhere.

It is convenient to keep all the access restrictions to a project in one place. Trac already supports this for browsing of source code (see FineGrainedPermissions). This page describes how to use the mod_authz_svn.so module to do this for the whole project.

A prerequisite for this being really convenient is that your repositories have the same names as your Trac projects. Something like:

C:/repos/project1 - for the repository
C:/trac/project1 - for the Trac project

mod_authz_svn.so will still work if you do not have this setup but you will have to add additional access restrictions in the SVN access file.

The mod_authz_svn.so module simply takes a path, strips off the parent path and checks for a users access based on that stripped path, the users name and their access rights in the SVN access file. It works stand alone from Subversion as a module in Apache so it may have other cunning uses, who knows…

To get mod_authz_svn.so running it must be loaded in the Apache httpd.conf file.

Example from httpd.conf:

LoadModule authz_svn_module modules/mod_authz_svn.so

To activate it for the location that serves your Trac projects, the following must be inside that location.

Example from httpd.conf:

  #Restrict access to Trac projects based on SVN access rights
  SVNParentPath D:/mytracprojects
  AuthzSVNAccessFile "C:/Program Files/Apache Group/Apache2/conf/svnaccessfile.txt"

To get access to a Trac project the user must first pass any authentication you have in place. They must then have access rights defined in the SVN access file. If they have read only rights they will be able to view things in Trac but make no modifications. If they have read and write they have the normal access.

The permissions system built into Trac comes into play once a user has authenticated, and had their access checked by mod_authz_svn.so. This means that any other permissions restrictions must still be defined in trac.

For more information on the SVN Access file see the Subversion Book

One other tip is for the situation where a user is read only on the repo but needs to create tickets in trac. Simply create a section in the SVN access file for the newticket url. Of course you must be careful that there is not actually a path in your repository that is called /newticket.

Example from svn access file:

[project1:/newticket]
user1 = rw

Note: See TracWiki for help on using the wiki.

Download in other formats:

Plain Text