Opened 17 years ago
Closed 17 years ago
#4 closed defect (fixed)
projects need to grant svn access
| Reported by: | Horst Meyerdierks | Owned by: | Horst Meyerdierks |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | trac | Version: | |
| Keywords: | Cc: |
Description (last modified by )
The developers on a project can use the web admin plugin to change which existing users can access the trac environment (including browsing the repository), but proper access to the svn repository via HTTPS/WebDAV is firmly under control of the superuser on the server.
Could the per-project group definitions in dav_svn.authz be collected automatically from projects rather than the whole file be edited centrally only by root@forge?
Change History (7)
comment:1 by , 17 years ago
| Description: | modified (diff) |
|---|---|
| Owner: | changed from to |
comment:2 by , 17 years ago
| Status: | new → assigned |
|---|
comment:3 by , 17 years ago
comment:4 by , 17 years ago
The authz file should be in svn, nonetheless. So the Perl script would first check it out of the ROEadmin repository, then collect the information for the new version from trac environments, then write the new file, then commit it back to the repository. Running as root, it has to use svn via HTTPS/WebDAV and not through a file URL, at least for the committal. For this purpose there has to be a user account root@forge that has developer access to the ROEadmin project.
comment:5 by , 17 years ago
| Type: | enhancement → defect |
|---|
comment:6 by , 17 years ago
I now have a Perl utility that will collect a new authz file from the projects, but it needs more testing. When working it will simply run from cron and overwrite the previous authz file. No mucking about with svn as root@forge.
comment:7 by , 17 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
The cron job is in place and runs every hour. It lists the permissions for each project and uses the "user" and "developer" permission groups to learn which users should have read or read/write access to the corresponding svn repositories.
Yes, it should be possible to have a Perl script that uses the trac-admin command on each trac environment to collect information as to which user accounts have user or developer access. From that the Perl script can calculate the full authz file. The Perl script could be a CGI script and we could allow any registered user to invoke it. A developer can then first use the web admin plugin to change access to the trac environment, then they can invoke the authz collector to synchronise svn access with trac access. Problem is that the authz file is root-owned. The CGI script would have to be SUID root.