This is just some info I wanted to share, which might have implications for the subversion module. On my website I use the svn module for Apache (mod_dav_svn). Together with the mod_auth_mysql module, this allows for the use of the accounts in the Drupal table for Subversion authentication, so website and Subversion are nicely integrated. To get this working, I used the following code in the Apache configuration file where the Subversion authentication rules are specified:

  AuthType Basic
  AuthName "My Website"
  AuthMySQLEnable On
  AuthMySQLHost localhost
  AuthMySQLDB ********       # database name
  AuthMySQLUser ********     # database username
  AuthMySQLPassword ******** # database password
  AuthMySQLUserTable "users, users_roles"
  AuthMySQLNameField name
  AuthMySQLPasswordField pass
  AuthMySQLPwEncryption md5
  AuthMySQLAuthoritative On
 
  # write access
  <LimitExcept GET PROPFIND OPTIONS REPORT>
    AuthMySQLUserCondition "users.uid = users_roles.uid AND users_roles.rid = 5"
  </LimitExcept>
 
  # read access
  <Limit GET PROPFIND OPTIONS REPORT>
    AuthMySQLUserCondition "users.uid = users_roles.uid AND users_roles.rid IN (5, 6)"
  </Limit>
 
  require valid-user

the users_roles.rid correspond to the rid's of the roles on my website that provide readonly and commit access to the repository.

Now, how is this going to affect the Drupal subversion module? For one thing, it isn't necessary anymore for a user to specify his Subversion account setting. So it would be great if the linking of website accounts and Subversion accounts could be made optional in the subversion module.

Comments

quinntaylor’s picture

quinntaylor commented

I've been integrating Subversion with Drupal, and this post was quite helpful. We're using Drupal 6, so I can't use the Subversion module, and we're using a prefix for our SQL tables. Also, our site (http://cocoaheads.byu.edu) is opting for a slightly different access model: our repository is publicly readable, but only users with certain Drupal roles can write to the repository. Here is an extract of our configuration for reference: (This is on OS X Leopard with MySQL 5 and mod_auth_mysql installed.)

<Location /svn>
    DAV svn
    SVNPath      /path/to/repository
    SVNReposName "CocoaHeads SVN Repository"

    # Restrict write access to authorized users with approved roles 
    <LimitExcept GET PROPFIND OPTIONS REPORT>
        AuthType               Basic
        AuthName               "CocoaHeads SVN Repository"
        #Prevent Apache from trying to access a user file for each request
        AuthUserFile           /dev/null
		
        AuthMySQLAuthoritative On
        AuthBasicAuthoritative Off
		
        AuthMySQLEnable        On
        AuthMySQLHost          localhost
        # Only requires a MySQL user with privileges to SELECT from the tables.
        AuthMySQLDB            ***
        AuthMySQLUser          ***
        AuthMySQLPassword      ***
        AuthMySQLUserTable     "drupal_users, drupal_users_roles"
        AuthMySQLNameField     name
        AuthMySQLPasswordField pass
        AuthMySQLPwEncryption  md5
        AuthMySQLUserCondition "drupal_users.uid = drupal_users_roles.uid AND\
                                drupal_users_roles.rid IN (3,4)"
        Require valid-user
    </LimitExcept>

</Location>
leop’s picture

leop commented

Unfortunately, my solution in the first post is incorrect. It provides no differentiation between users that have only read access and users that have both read and write access. Instead, I came up with the following solution, in which "Require valid-user" and "Require group" are used to differentiate between readonly and read / write access:

  AuthType Basic
  AuthName "Repository Name"
  AuthMySQLEnable On
  AuthMySQLAuthoritative On

  #MySQL DB
  AuthMySQLHost localhost
  AuthMySQLDB ********
  AuthMySQLUser ********
  AuthMySQLPassword ********

  #User Tables
  AuthMySQLUserTable "users, users_roles"
  AuthMySQLNameField users.name
  AuthMySQLPasswordField users.pass
  AuthMySQLPwEncryption md5

  #Group Tables
  AuthMySQLGroupTable "users, role, users_roles"
  AuthMySQLGroupField role.rid

  #WHERE Clauses
  AuthMySQLUserCondition "users.status = 1 AND users.uid = users_roles.uid AND users_roles.rid IN (5, 6)"
  AuthMySQLGroupCondition "users_roles.uid = users.uid AND users_roles.rid = role.rid"

  #read access
  <Limit GET PROPFIND OPTIONS REPORT>
    Require valid-user
  </Limit>

  #write access
  <LimitExcept GET PROPFIND OPTIONS REPORT>
    Require group 5
  </LimitExcept>

In the above example, the role with rid 5 is allowed to write to the repository, while the role with rid 6 is only granted read access. No anonymous read access is granted.

mrconnerton’s picture

mrconnerton commented
Status: Active » Closed (won't fix)

5.x module is no longer supported.