Redmine

Sounds interesting. Any chance you could add a patch here for us to see? I can see good use for this (also with subversion in current case).

/T

I would love to see this committed!

but... being able to admin the authz file from within redmine would be great addition as well...

Duplicates #2315.

This would mostly eliminate the need for specifying a username/passowrd in the project settings (solving as a side effect #2034), which is the main reason why I'm using a file:/// URL.

Lluís Vilanova wrote:

Duplicates #2315.

This would mostly eliminate the need for specifying a username/passowrd in the project settings (solving as a side effect #2034), which is the main reason why I'm using a file:/// URL.

Maybe I'm not very familiar with SVN, but where can I get security token? I'm using pure Collabnet Subversion without Apache and it is impossible to install Apache along with SVN. Some repos use path-based authentification to restrict some users. So this patch is very important for me. But how can I get the token??

Robert Rath wrote:

This patch is still relevant and necessary when doing fine grain subversion access control managed by Apache in redmine-1.3-stable.

Added update patch against current stable branch 1.3-stable ( revision 9291 )

... Robert

Robert, Can you please produce patch for current release i.e. 1.4.1? I tried to use your patch but failed.

Thanks!

My patch against Redmine 1.3 r9291 was missing a db/migrate file which prevented the patch from working.

Here is a a copy of the missing file's contents './db/migrate/109_add_special_repository_security.rb'

class AddSpecialRepositorySecurity < ActiveRecord::Migration
  def self.down
    remove_column :repositories, :login_method
    remove_column :repositories, :security_token
  end

  def self.up
    add_column :repositories, :login_method, :int, :default => 0, :null => true
    add_column :repositories, :security_token, :string, :limit => 60, :default => "", :null => true
  end
end

This doesn't work with redmine and subversion on different servers, even with mysql-DB-acces, does it?
Background: if running on the same server, the project-admins have acces to ALL repos via file:// via redmine :(

Tilo Mey wrote:

This doesn't work with redmine and subversion on different servers, even with mysql-DB-acces, does it?
Background: if running on the same server, the project-admins have acces to ALL repos via file:// via redmine :(

Hi Tilo,

I use this all the time with external subversion servers via HTTPS urls, in fact the only reason the security model works is through the Apache2 authz module.
I also run some servers with all services locally as well but for these project-admin security is no issue.

Local file system assess as you described bypasses it all as you point out. Perhaps one way around this is to use file system permissions to block filesystem access and then Apache to serve SVN back to Redmine to control the security. This may not be possible however with Apache2 serving Redmine as they need to share the same user account. You could use a different service for Redmine, ie webbrick and Apache2 on a different port for SVN. This way these services can run under different user accounts which will prevent Redmine direct file system access to svn. You could also use obscurity and place the SVN files in a very hard to guess location on the filesystem (poor security).

Or just put Redmine and SVN on different servers. If you use virtual machines this solution will be the simplest.

...Robert

edit...

In all cases to implement this fine grained authz security you need the pearl module installed and configured for Apache2 on the remote subversion server. This is a problem for accessing third party servers. It may be possible to work around this by using a local Apache2 proxy but you would have to implement some form of local caching of credentials to be presented to the remote server which may or may not be acceptable.

Hi Robert,
Im getting internal error on Redmine 2.3.3 while loading the add-svn-repo site.

Log:

Completed 500 Internal Server Error in 113ms

ActionView::Template::Error (undefined method `login_method' for #<Repository::Subversion:0x007f60bc9d3860>):
17: <% button_disabled = true >
18: < if Jack Zheng >
19: < button_disabled = ! @repository.class.scm_available >
20: <= repository_field_tags(f, Jack Zheng)%>
21: <% end %>
22: </div>
23:
lib/redmine/views/labelled_form_builder.rb:34:in `select'
app/helpers/repositories_helper.rb:164:in `subversion_field_tags'
app/helpers/repositories_helper.rb:126:in `repository_field_tags'
app/views/repositories/_form.html.erb:20:in `_app_views_repositories__form_html_erb__3600649647781905487_33101280'
app/views/repositories/new.html.erb:4:in `block in app_views_repositories_new_html_erb__1890930613153873159_32704720'
app/helpers/application_helper.rb:948:in `labelled_form_for'
app/views/repositories/new.html.erb:3:in `_app_views_repositories_new_html_erb___1890930613153873159_32704720'

Btw: is it possible to add this patch to the official redmine version?

Daniel Hger wrote:

Hi Robert,
Im getting internal error on Redmine 2.3.3 while loading the add-svn-repo site.

Log:

Completed 500 Internal Server Error in 113ms

ActionView::Template::Error (undefined method `login_method' for #<Repository::Subversion:0x007f60bc9d3860>):
17: <% button_disabled = true >
18: < if Jack Zheng >
19: < button_disabled = ! @repository.class.scm_available >
20: <= repository_field_tags(f, Jack Zheng)%>
21: <% end %>
22: </div>
23:
lib/redmine/views/labelled_form_builder.rb:34:in `select'
app/helpers/repositories_helper.rb:164:in `subversion_field_tags'
app/helpers/repositories_helper.rb:126:in `repository_field_tags'
app/views/repositories/_form.html.erb:20:in `_app_views_repositories__form_html_erb__3600649647781905487_33101280'
app/views/repositories/new.html.erb:4:in `block in app_views_repositories_new_html_erb__1890930613153873159_32704720'
app/helpers/application_helper.rb:948:in `labelled_form_for'
app/views/repositories/new.html.erb:3:in `_app_views_repositories_new_html_erb___1890930613153873159_32704720'

Btw: is it possible to add this patch to the official redmine version?

Hi Daniel,

My patch is specific to the official Redmine version as at 2.3 r12119. Once the official version moves on the patch may no longer work. You may however be able to update back to r12119, apply the patch and then update back to the latest production release.

When I get a free moment I will see where it stands with respect to the current Redmine release.

Regards,
Robert Rath

My error occured because i didn't applied db:migrate correctly.
This patch still works for Redmine v2.4.2 - just the file config/locales/en.yml changed a little bit.

I'm just worried about one thing: users who are not authorized to access the repository can still crawl over all revisions.
Redmine stores these informations in its database when the repository is accessed.
The goal is to prevent users who are not authorized from gaining informations about the repository.

edit: it is possible to achieve this via roles, but not based on the repo-rules

Daniel Hger wrote:

My error occured because i didn't applied db:migrate correctly.
This patch still works for Redmine v2.4.2 - just the file config/locales/en.yml changed a little bit.

I'm just worried about one thing: users who are not authorized to access the repository can still crawl over all revisions.
Redmine stores these informations in its database when the repository is accessed.
The goal is to prevent users who are not authorized from gaining informations about the repository.

edit: it is possible to achieve this via roles, but not based on the repo-rules

Hi Daniel,

This patch transfers all access control of SVN to Apache's authz module. This means that in addition to setting up individual user access to SVN you have fine grained access control throughout your entire repository tree simply by setting up and editing an Apache authz file, creating groups and R/W assignments as simply or as complex as you require. Unfortunately the authz will need to be manually edited (or managed with some other tool) on the server's file system.

... Robert Rath

As I previously mentioned, this access control mechanism is intimately bound to apache. Anyone with direct access to the repository's file system can bypass it all.

The problem is that Redmine still copies the revisions into its database when a uses tries to access the repository. (Thats why the first access to a big repo needs more time, just look in the db/logs, a huge amount of data is getting stored there)

So someone who cant access the repo can still see the revisions (including path names, file names, actions).
Redmine needs the revisions stored in its db to be able to provide links to them in issues and forums.
We need a fix to hide the revision pages from users who cant access the repo.
So in the controller for this view we have to add a check if the current user can really read the information provided on the revision's page.

For this check we need to access the svn-repo via a querry to the apache host (with user credentials) or evaluate the rights from ./conf/authz in the svn folder (filesystem) for each file mentioned on the rev's page.

Both solutions are dirty, but i dont see another way...

I wrote a complete new patch which hides nearly everything from denied users.
In my company we use the same LDAP for Redmine and SVN, so all users have the same login.

Redmine has direct file access to the repository and compares ./conf/authz file for every request (which exposes svn related data) with the current user's name and the paths/files.
If the user is not permitted to see these paths, files, diffs, revisions, revision-info, etc. the user is redirected to an error page or the content is changed (e.g. tooltips).
If anyone is interested i can upload my code.

Daniel Hger wrote:

I wrote a complete new patch which hides nearly everything from denied users.
In my company we use the same LDAP for Redmine and SVN, so all users have the same login.

Redmine has direct file access to the repository and compares ./conf/authz file for every request (which exposes svn related data) with the current user's name and the paths/files.
If the user is not permitted to see these paths, files, diffs, revisions, revision-info, etc. the user is redirected to an error page or the content is changed (e.g. tooltips).
If anyone is interested i can upload my code.

Hi Daniel,
I would love to get a copy of your patches, even if they aren't perfect. We've got a project where this is necessary and it sounds like your changes are exactly what we need. If you don't want to upload them publicly my email is in my profile.

Repositories have to be created and first accessed by admin. Afterwards Redmine copys the repo information into its database. This process can take a very long time for huge repos. Repos in sub directories are also supported.
My svn repos are mounted to /opt/svn/ (e.g. /opt/svn/reponame/conf/authz).
Im only a student and this code still needs improvements since it was just created to fit our company.

Robert Rath wrote:

I use this all the time with external subversion servers via HTTPS urls, in fact the only reason the security model works is through the Apache2 authz module.
Or just put Redmine and SVN on different servers. If you use virtual machines this solution will be the simplest.

...Robert

edit...

In all cases to implement this fine grained authz security you need the pearl module installed and configured for Apache2 on the remote subversion server. This is a problem for accessing third party servers. It may be possible to work around this by using a local Apache2 proxy but you would have to implement some form of local caching of credentials to be presented to the remote server which may or may not be acceptable.

I've 2 servers:
one vor redmine, another for svn.
Direct svn via https with fine granular is working fine.

For redmine I'm using
redmine-2.3-12119_repository_auth-2.patch

Therefore I've something like this in /etc/apache/mods-eanbled/dav_svn.conf on svn

PerlLoadModule Apache::Redmine
<Location /svn-redmine>
     DAV svn
     SVNPath /srv/subversion/repo
     Order deny,allow
     Deny from all
     # only allow reading orders

     AuthType Basic
     AuthName redmine
     Require valid-user
     AuthUserFile /srv/subversion/authz
     PerlAccessHandler Apache::Redmine::redmine_access_handler
     PerlAuthenHandler Apache::Redmine::redmine_authen_handler

     RedmineSecurityToken "redminetoken" 

     <Limit GET PROPFIND OPTIONS REPORT>
       Allow from remine.blob.de
     </Limit>
</Location>

But there is an error on svn:
Can't connect to data source '' because I can't work out what driver to use (it doesn't seem to contain a 'dbi:driver:' prefix and the DBI_DRIVER env var is not set) at /usr/lib/perl5/Apache/Redmine.pm line 562.

On the repository-seting in redmine I've choosen "Name of current user"

Why does the svn is needing the database-connection to redmine?