Bug #49877

Feature #36172: Forge cleanup and update umbrella issue

Feature #45844: Separate SVN from the Redmine server

SVN authorization

Added by Steffen Gebert over 6 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Must have
Category:
-
Target version:
-
Start date:
2013-07-11
Due date:
% Done:

70%


Description

When a user commits to an SVN repository, it has to be checked, whether he's allowed to do so.

  • Authentication (asking for username + password) is already through done (using the /services/authenticate.php)
  • Authorization then has to check, if the user belongs to the group having write permission for this path.

This is not fixed, yet. We see two options:

  1. pull (through a cron job or triggered by MQ) a list of all projects from forge and loop over them to ask for the project memberships.
    Then put these data together to an "authz path-based authorization" file that looks like this:
    [groups]
    admins = john, inge, dieter
    extension-gimmefive-developers = jocrau, ohader
    extension-contentparser-developers = jocrau
    extension-rootline-developers = jocrau
    extension-perfectlightbox-developers = niediek
    extension-nc_staticfilecache-developers = sonne, ohader, danp, franzripfel, stefan_sprenger, axeljung01, soda_2005, ncfrans, michael.klapper, spyker, fab1en
    
    [/gimmefive]
    @extension-gimmefive-developers = rw
    
    [/contentparser]
    @extension-contentparser-developers = rw
    
    [/]
    @admins = rw
    @extensions-developers = rw
    * = r
    
  2. bring back the old code to redmine that writes the authz file (this and probably few others) and expose this file to the SVN server, which fetches it regulary. I suggest to be careful when doing so and first downloading it and then moving the downloaded file (after a size verification?) over the active one (atomic operation).

svn-groups.php View - Sync script (5.83 KB) Steffen Gebert, 2013-07-12 22:51

History

#1 Updated by Steffen Gebert over 6 years ago

It sounded like we will try 1. first and Bastian offered his help there

#2 Updated by Steffen Gebert over 6 years ago

Attached is a possible solution.

Caveat: it relies on the typo3_api plugin I wrote some time ago, which seems not to work in Redmine 2.2 (see redmine forum entry). The problem exposes the user's login name to the API. If we don't get a hint, how this works now (I think I will ask Stefan about that), we would have to patch the view in redmine).

#3 Updated by Steffen Gebert over 6 years ago

  • Status changed from New to Needs Feedback
  • % Done changed from 0 to 70

#4 Updated by Steffen Gebert over 6 years ago

  • Assignee set to Steffen Gebert

#5 Updated by Steffen Gebert over 2 years ago

  • Status changed from Needs Feedback to Rejected

#6 Updated by Steffen Gebert over 2 years ago

  • Status changed from Rejected to Closed

Also available in: Atom PDF