Opened 13 years ago

Closed 13 years ago

#4 closed defect (fixed)

projects need to grant svn access

Reported by: Horst Meyerdierks Owned by: Horst Meyerdierks
Priority: major Milestone:
Component: trac Version:
Keywords: Cc:

Description (last modified by Horst Meyerdierks)

The developers on a project can use the web admin plugin to change which existing users can access the trac environment (including browsing the repository), but proper access to the svn repository via HTTPS/WebDAV is firmly under control of the superuser on the server.

Could the per-project group definitions in dav_svn.authz be collected automatically from projects rather than the whole file be edited centrally only by root@forge?

Change History (7)

comment:1 Changed 13 years ago by Horst Meyerdierks

Description: modified (diff)
Owner: changed from somebody to Horst Meyerdierks

comment:2 Changed 13 years ago by Horst Meyerdierks

Status: newassigned

comment:3 Changed 13 years ago by Horst Meyerdierks

Yes, it should be possible to have a Perl script that uses the trac-admin command on each trac environment to collect information as to which user accounts have user or developer access. From that the Perl script can calculate the full authz file. The Perl script could be a CGI script and we could allow any registered user to invoke it. A developer can then first use the web admin plugin to change access to the trac environment, then they can invoke the authz collector to synchronise svn access with trac access. Problem is that the authz file is root-owned. The CGI script would have to be SUID root.

comment:4 Changed 13 years ago by Horst Meyerdierks

The authz file should be in svn, nonetheless. So the Perl script would first check it out of the ROEadmin repository, then collect the information for the new version from trac environments, then write the new file, then commit it back to the repository. Running as root, it has to use svn via HTTPS/WebDAV and not through a file URL, at least for the committal. For this purpose there has to be a user account root@forge that has developer access to the ROEadmin project.

comment:5 Changed 13 years ago by Horst Meyerdierks

Type: enhancementdefect

comment:6 Changed 13 years ago by Horst Meyerdierks

I now have a Perl utility that will collect a new authz file from the projects, but it needs more testing. When working it will simply run from cron and overwrite the previous authz file. No mucking about with svn as root@forge.

comment:7 Changed 13 years ago by Horst Meyerdierks

Resolution: fixed
Status: assignedclosed

The cron job is in place and runs every hour. It lists the permissions for each project and uses the "user" and "developer" permission groups to learn which users should have read or read/write access to the corresponding svn repositories.

Note: See TracTickets for help on using tickets.