| Version 3 (modified by , 18 years ago) ( diff ) |
|---|
How to control access to multiple projects using mod_authz_svn.so
Introduction
This information applies to multiple project installs of Trac served through Apache. In principle the same information should apply to single project Tracs, but this hasn't been tested. The examples come from a Windows environment but I can't see why a similar setup would not work elsewhere.
It is convenient to keep all the access restrictions to a project in one place. Trac already supports this for browsing of source code (see FineGrainedPermissions). This page describes how to use the mod_authz_svn.so module to do this for the whole project.
Matching repo and Trac names
A prerequisite for this being really convenient is that your repositories have the same names as your Trac projects. Something like:
C:/repos/project1 - for the repository C:/trac/project1 - for the Trac project
mod_authz_svn.so will still work if you do not have this setup but you will have to add additional access restrictions in the SVN access file.
mod_authz_svn
The mod_authz_svn.so module simply takes a path, strips off the parent path and checks for a users access based on that stripped path, the users name and their access rights in the SVN access file. It works stand alone from Subversion as a module in Apache so it may have other cunning uses, who knows…
To get mod_authz_svn.so running it must be loaded in the Apache httpd.conf file.
Example from httpd.conf:
LoadModule authz_svn_module modules/mod_authz_svn.so
To activate it for the location that serves your Trac projects, the following must be inside that location.
Example from httpd.conf:
#Restrict access to Trac projects based on SVN access rights SVNParentPath D:/mytracprojects AuthzSVNAccessFile "C:/Program Files/Apache Group/Apache2/conf/svnaccessfile.txt"
Setting Access
To get access to a Trac project the user must first pass any authentication you have in place. They must then have access rights defined in the SVN access file. If they have read only rights they will be able to view things in Trac but make no modifications. If they have read and write they have the normal access.
The permissions system built into Trac comes into play once a user has authenticated, and had their access checked by mod_authz_svn.so. This means that any other permissions restrictions must still be defined in trac.
For more information on the SVN Access file see the Subversion Book
Access to Trac for managers and testers
One other tip is for the situation where a user is read only on the repo but needs to create tickets in trac. Simply create a section in the SVN access file for the newticket url. Of course you must be careful that there is not actually a path in your repository that is called /newticket.
Example from svn access file:
[project1:/newticket] user1 = rw
A Problem
Using the setup as descibed above has one drawback. You lose access to the default listing of Trac projects that was returned if you accessed the base Trac url with no project name. There may be a work around for this but I haven't yet found it.
