You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by solo turn <so...@gmail.com> on 2004/08/20 15:17:52 UTC
access control: viewcvs
hi,
we restricted access to our svn repository via apache and the
AuthzSVNAccessFile directive.
how can we reach that these access rights do also apply when exposing
the repository with viewcvs?
-solo.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: access control: viewcvs
Posted by "C. Michael Pilato" <cm...@collab.net>.
solo turn <so...@gmail.com> writes:
> how can we reach that these access rights do also apply when exposing
> the repository with viewcvs?
ViewCVS has its own mailing list -- viewcvs@lyra.org. Ask there.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: access control: viewcvs
Posted by Ben Reser <be...@reser.org>.
On Tue, Aug 24, 2004 at 10:45:03PM -0700, Greg Stein wrote:
> Not nice. It won't work. Throw a /*checkout*/ URL in there, and it alters
> all of the paths seen. Whoops!
>
> Not to mention that we've considered various URL schems where the command
> goes into the URL path rather than as a query part. Again, the path gets
> all skewed.
That's what I was trying to say. Thanks for saying it better.
--
Ben Reser <be...@reser.org>
http://ben.reser.org
"Conscience is the inner voice which warns us somebody may be looking."
- H.L. Mencken
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: access control: viewcvs
Posted by Greg Stein <gs...@lyra.org>.
On Mon, Aug 23, 2004 at 05:03:05PM -0500, C. Michael Pilato wrote:
> Michael W Thelen <th...@cs.utah.edu> writes:
>
> > > Huh? Will that actually work? mod_authz_svn's primary purpose is to
> > > decode the special URLs we use into a fashion that can do path based
> > > authorization.
> >
> > Works for me... because it's in a <Location> block, I think the path being
> > accessed looks exactly the same to mod_authz_svn whether it's being accessed
> > via /svn or /viewsvn (i.e. both http://example.com/svn/foo and
> > http://example.com/viewsvn/foo require authorization to access /foo in the
> > repository at /path/to/repos).
>
> Ah, yes, I can see how this works. So, the fact that mod_authz_svn
> can decode those special URLs is irrelevant -- ViewCVS doesn't use the
> special URLs. The important thing is that all ViewCVS URLs are normal
> GETs, and mod_authz_svn does the right thing for normal GETs aimed at
> a Subversion repository.
>
> Nice.
Not nice. It won't work. Throw a /*checkout*/ URL in there, and it alters
all of the paths seen. Whoops!
Not to mention that we've considered various URL schems where the command
goes into the URL path rather than as a query part. Again, the path gets
all skewed.
Cheers,
-g
--
Greg Stein, http://www.lyra.org/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: access control: viewcvs
Posted by "C. Michael Pilato" <cm...@collab.net>.
Michael W Thelen <th...@cs.utah.edu> writes:
> > Huh? Will that actually work? mod_authz_svn's primary purpose is to
> > decode the special URLs we use into a fashion that can do path based
> > authorization.
>
> Works for me... because it's in a <Location> block, I think the path being
> accessed looks exactly the same to mod_authz_svn whether it's being accessed
> via /svn or /viewsvn (i.e. both http://example.com/svn/foo and
> http://example.com/viewsvn/foo require authorization to access /foo in the
> repository at /path/to/repos).
Ah, yes, I can see how this works. So, the fact that mod_authz_svn
can decode those special URLs is irrelevant -- ViewCVS doesn't use the
special URLs. The important thing is that all ViewCVS URLs are normal
GETs, and mod_authz_svn does the right thing for normal GETs aimed at
a Subversion repository.
Nice.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: access control: viewcvs
Posted by solo turn <so...@gmail.com>.
On Mon, 23 Aug 2004 15:19:58 -0600, Michael W Thelen
<th...@cs.utah.edu> wrote:
> * Ben Reser <be...@reser.org> [2004-08-23 10:49]:
> > > Use the exact same authorization mechanism. For example, something like this:
> > >
> > > # Subversion repository
> > > <Location /svn>
> > > DAV svn
> > > SVNPath /path/to/repos
> > > AuthType Basic
> > > AuthName "Subversion Repository"
> > > AuthUserFile /usr/local/apache2/conf/svn-auth
> > > Require valid-user
> > > AuthzSVNAccessFile /usr/local/apache2/conf/svn-access
> > > </Location>
> > >
> > > # ViewSVN
> > > ScriptAlias /viewsvn /path/to/viewcvs.cgi
> > > <Location /viewsvn>
> > > SVNPath /path/to/repos
> > > AuthType Basic
> > > AuthName "ViewSVN"
> > > AuthUserFile /usr/local/apache2/conf/svn-auth
> > > Require valid-user
> > > AuthzSVNAccessFile /usr/local/apache2/conf/svn-access
> > > </Location>
> >
> > Huh? Will that actually work? mod_authz_svn's primary purpose is to
> > decode the special URLs we use into a fashion that can do path based
> > authorization.
>
> Works for me... because it's in a <Location> block, I think the path being
> accessed looks exactly the same to mod_authz_svn whether it's being accessed
> via /svn or /viewsvn (i.e. both http://example.com/svn/foo and
> http://example.com/viewsvn/foo require authorization to access /foo in the
> repository at /path/to/repos).
how would you handle this with parentPaths?
e.g.:
http://example.com/cgi-bin/viewcvs.cgi/trunk/?root=rep1
which i can change via dropdown to:
http://example.com/cgi-bin/viewcvs.cgi/trunk/?root=rep2
httpd.conf contains:
<Location /svn>
DAV svn
SVNParentPath /path/to
AuthType Basic
AuthName "Subversion Repository"
AuthUserFile /usr/local/apache2/conf/svn-auth
Require valid-user
AuthzSVNAccessFile /usr/local/apache2/conf/svn-access
</Location>
viewcvs.conf ocntains:
root_parents = /path/to : svn
another thing:
did you also revoke the permission to access /path/to/viewcvs.cgi url?
-solo.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: access control: viewcvs
Posted by Michael W Thelen <th...@cs.utah.edu>.
* Ben Reser <be...@reser.org> [2004-08-23 10:49]:
> > Use the exact same authorization mechanism. For example, something like this:
> >
> > # Subversion repository
> > <Location /svn>
> > DAV svn
> > SVNPath /path/to/repos
> > AuthType Basic
> > AuthName "Subversion Repository"
> > AuthUserFile /usr/local/apache2/conf/svn-auth
> > Require valid-user
> > AuthzSVNAccessFile /usr/local/apache2/conf/svn-access
> > </Location>
> >
> > # ViewSVN
> > ScriptAlias /viewsvn /path/to/viewcvs.cgi
> > <Location /viewsvn>
> > SVNPath /path/to/repos
> > AuthType Basic
> > AuthName "ViewSVN"
> > AuthUserFile /usr/local/apache2/conf/svn-auth
> > Require valid-user
> > AuthzSVNAccessFile /usr/local/apache2/conf/svn-access
> > </Location>
>
> Huh? Will that actually work? mod_authz_svn's primary purpose is to
> decode the special URLs we use into a fashion that can do path based
> authorization.
Works for me... because it's in a <Location> block, I think the path being
accessed looks exactly the same to mod_authz_svn whether it's being accessed
via /svn or /viewsvn (i.e. both http://example.com/svn/foo and
http://example.com/viewsvn/foo require authorization to access /foo in the
repository at /path/to/repos).
--
Michael W. Thelen
No amount of genius can overcome a preoccupation with detail.
-- Levy's Eighth Law
Re: access control: viewcvs
Posted by Ben Reser <be...@reser.org>.
On Fri, Aug 20, 2004 at 12:58:43PM -0600, Michael W Thelen wrote:
> * solo turn <so...@gmail.com> [2004-08-20 10:35]:
> > we restricted access to our svn repository via apache and the
> > AuthzSVNAccessFile directive.
> >
> > how can we reach that these access rights do also apply when exposing
> > the repository with viewcvs?
>
> Use the exact same authorization mechanism. For example, something like this:
>
> # Subversion repository
> <Location /svn>
> DAV svn
> SVNPath /path/to/repos
> AuthType Basic
> AuthName "Subversion Repository"
> AuthUserFile /usr/local/apache2/conf/svn-auth
> Require valid-user
> AuthzSVNAccessFile /usr/local/apache2/conf/svn-access
> </Location>
>
> # ViewSVN
> ScriptAlias /viewsvn /path/to/viewcvs.cgi
> <Location /viewsvn>
> SVNPath /path/to/repos
> AuthType Basic
> AuthName "ViewSVN"
> AuthUserFile /usr/local/apache2/conf/svn-auth
> Require valid-user
> AuthzSVNAccessFile /usr/local/apache2/conf/svn-access
> </Location>
Huh? Will that actually work? mod_authz_svn's primary purpose is to
decode the special URLs we use into a fashion that can do path based
authorization. ViewCVS doesn't really use anything like this and rather
uses paths like so:
http://server/viewcvs.cgi/path/in/repo/foo.c
You can hide the viewcvs.cgi part with some aliasing. e.g.:
AliasMatch ^(/.*) /var/www/cgi-bin/viewcvs.cgi$1
But that's just hiding the implementation detail from the end user...
--
Ben Reser <be...@reser.org>
http://ben.reser.org
"Conscience is the inner voice which warns us somebody may be looking."
- H.L. Mencken
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: access control: viewcvs
Posted by Michael W Thelen <th...@cs.utah.edu>.
* solo turn <so...@gmail.com> [2004-08-20 10:35]:
> we restricted access to our svn repository via apache and the
> AuthzSVNAccessFile directive.
>
> how can we reach that these access rights do also apply when exposing
> the repository with viewcvs?
Use the exact same authorization mechanism. For example, something like this:
# Subversion repository
<Location /svn>
DAV svn
SVNPath /path/to/repos
AuthType Basic
AuthName "Subversion Repository"
AuthUserFile /usr/local/apache2/conf/svn-auth
Require valid-user
AuthzSVNAccessFile /usr/local/apache2/conf/svn-access
</Location>
# ViewSVN
ScriptAlias /viewsvn /path/to/viewcvs.cgi
<Location /viewsvn>
SVNPath /path/to/repos
AuthType Basic
AuthName "ViewSVN"
AuthUserFile /usr/local/apache2/conf/svn-auth
Require valid-user
AuthzSVNAccessFile /usr/local/apache2/conf/svn-access
</Location>
--
Michael W. Thelen
A satirist is a man who discovers unpleasant things about himself and then
says them about other people.
-- Peter McArthur