subversion module and mod_dav_svn
| Project: | Subversion |
| Version: | 5.x-2.x-dev |
| Component: | Code |
| Category: | task |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
Jump to:
This is just some info I wanted to share, which might have implications for the subversion module. On my website I use the svn module for Apache (mod_dav_svn). Together with the mod_auth_mysql module, this allows for the use of the accounts in the Drupal table for Subversion authentication, so website and Subversion are nicely integrated. To get this working, I used the following code in the Apache configuration file where the Subversion authentication rules are specified:
AuthType Basic
AuthName "My Website"
AuthMySQLEnable On
AuthMySQLHost localhost
AuthMySQLDB ******** # database name
AuthMySQLUser ******** # database username
AuthMySQLPassword ******** # database password
AuthMySQLUserTable "users, users_roles"
AuthMySQLNameField name
AuthMySQLPasswordField pass
AuthMySQLPwEncryption md5
AuthMySQLAuthoritative On
# write access
<LimitExcept GET PROPFIND OPTIONS REPORT>
AuthMySQLUserCondition "users.uid = users_roles.uid AND users_roles.rid = 5"
</LimitExcept>
# read access
<Limit GET PROPFIND OPTIONS REPORT>
AuthMySQLUserCondition "users.uid = users_roles.uid AND users_roles.rid IN (5, 6)"
</Limit>
require valid-userthe users_roles.rid correspond to the rid's of the roles on my website that provide readonly and commit access to the repository.
Now, how is this going to affect the Drupal subversion module? For one thing, it isn't necessary anymore for a user to specify his Subversion account setting. So it would be great if the linking of website accounts and Subversion accounts could be made optional in the subversion module.
#1
I've been integrating Subversion with Drupal, and this post was quite helpful. We're using Drupal 6, so I can't use the Subversion module, and we're using a prefix for our SQL tables. Also, our site (http://cocoaheads.byu.edu) is opting for a slightly different access model: our repository is publicly readable, but only users with certain Drupal roles can write to the repository. Here is an extract of our configuration for reference: (This is on OS X Leopard with MySQL 5 and mod_auth_mysql installed.)
<Location /svn>
DAV svn
SVNPath /path/to/repository
SVNReposName "CocoaHeads SVN Repository"
# Restrict write access to authorized users with approved roles
<LimitExcept GET PROPFIND OPTIONS REPORT>
AuthType Basic
AuthName "CocoaHeads SVN Repository"
#Prevent Apache from trying to access a user file for each request
AuthUserFile /dev/null
AuthMySQLAuthoritative On
AuthBasicAuthoritative Off
AuthMySQLEnable On
AuthMySQLHost localhost
# Only requires a MySQL user with privileges to SELECT from the tables.
AuthMySQLDB ***
AuthMySQLUser ***
AuthMySQLPassword ***
AuthMySQLUserTable "drupal_users, drupal_users_roles"
AuthMySQLNameField name
AuthMySQLPasswordField pass
AuthMySQLPwEncryption md5
AuthMySQLUserCondition "drupal_users.uid = drupal_users_roles.uid AND\
drupal_users_roles.rid IN (3,4)"
Require valid-user
</LimitExcept>
</Location>
#2
Unfortunately, my solution in the first post is incorrect. It provides no differentiation between users that have only read access and users that have both read and write access. Instead, I came up with the following solution, in which "Require valid-user" and "Require group" are used to differentiate between readonly and read / write access:
AuthType Basic
AuthName "Repository Name"
AuthMySQLEnable On
AuthMySQLAuthoritative On
#MySQL DB
AuthMySQLHost localhost
AuthMySQLDB ********
AuthMySQLUser ********
AuthMySQLPassword ********
#User Tables
AuthMySQLUserTable "users, users_roles"
AuthMySQLNameField users.name
AuthMySQLPasswordField users.pass
AuthMySQLPwEncryption md5
#Group Tables
AuthMySQLGroupTable "users, role, users_roles"
AuthMySQLGroupField role.rid
#WHERE Clauses
AuthMySQLUserCondition "users.status = 1 AND users.uid = users_roles.uid AND users_roles.rid IN (5, 6)"
AuthMySQLGroupCondition "users_roles.uid = users.uid AND users_roles.rid = role.rid"
#read access
<Limit GET PROPFIND OPTIONS REPORT>
Require valid-user
</Limit>
#write access
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require group 5
</LimitExcept>
In the above example, the role with rid 5 is allowed to write to the repository, while the role with rid 6 is only granted read access. No anonymous read access is granted.