Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Listing projects without authentication doesn't work anymore. #145

Open
ams-tschoening opened this issue May 12, 2021 · 0 comments
Open

Listing projects without authentication doesn't work anymore. #145

ams-tschoening opened this issue May 12, 2021 · 0 comments

Comments

@ams-tschoening
Copy link
Contributor

I've just upgraded my WebSVN to master and recognized that authentication checks behave differently than in the past. Though, my setup might be somewhat special so not sure how to handle this, but at least want to document it here. In the end, I simply have a list of repositories which should be published only and added those using the following in config.php:

$config->addRepository('DocBeam3',      'file:///home/[...]/DocBeam3');
$config->addRepository('ElrevBenutzer', 'file:///home/[...]/ElrevBenutzer');
[...]
$config->useAccessFile('/home/[...]/authz', 'DocBeam3');
$config->useAccessFile('/home/[...]/authz', 'ElrevBenutzer');

The important thing to note is that I would like to call index.php WITHOUT any authentication, so that a listing of the configured projects is available always. After clicking onto one of those projects, the browser is requested to authenticate and afterwards the configured authz files are used to check permissions as well. This worked in the past because the authz files contained the following lines:

[/:/]
* = r

Those were treated specially in former implementations and meant something like if the repo should only be shown as part of some listing, allow that. This is pretty much what SVN documents in case of SVNParentPath and one file with multiple repos, only with the special meaning that one doesn't need to provide the concrete repo name. Not sure anymore if this special config was documented by SVN itself somewhere or only for WebSVN.

[calc:/branches/calc/bug-142]
harry = rw
sally = r

The important thing is that my lines perfectly fine worked in the past even with multiple repos having individual authz files and being listed by WebSVN. That doesn't work anymore, instead one needs to make WebSVN request some special path like in the following example of a changed index.php:

// Create listing of all configured projects (includes groups if they are used).
foreach ($projects as $project) {
    if (!$project->hasReadAccess('/websvn/allow_listing'))
        continue;

[/websvn/allow_listing]
* = r

This works even WITHOUT having corresponding directories WITHIN the SVN repo, because svnauthz only checks based on the config file, not actual repo content. The problem simply seems to be that WebSVN checks permissions for / in the repo, my authz files deny that access for valid reasons and the special workaround /:/ doesn't seem to be supported anymore.

$ /[...]/svnauthz accessof --repository 'DocBeam3' --path '/websvn/allow_listing' '/[...]/authz'
r
$ /[...]/svnauthz accessof --repository 'DocBeam3' --path '/' '/[...]/authz'
no
$ /[...]/svnauthz accessof --repository 'DocBeam3' --path '/foobar' '/[...]/authz'
no

Not sure how to handle such use cases, but making WebSVN request arbitrary directories for very special permissions doesn't sound too wrong to me. Might make more sense than to e.g. add a config deciding if to check permissions for project listings like done in index.php.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ams-tschoening