Redmine

Jean Van Dooren wrote:

i modified the redmine.pm file in order to (try to) match Redmine rights and SVN methods.
If you use curent Redmine.pm file, you'll see that if you check the "Browse repository" right in Redmine for a user (role->user), the user can do everything in SVN.
Even if you don't check commit access into Redmine…

I have the current Redmine.pm and users with no commit access can't commit on my installation, and this has also been verified by others. I don't see how your proposed patch fundamentally changes the workings of Redmine.pm either. What problem did you have that triggered you to make those changes?

Hi Felix,

I made one more test. I finally find the problem but my modification does not correct it...

If I enable RedmineCacheCredsMax in Apache configuration file, I can do anything on SVN. All you need is to be member of the project.

I think RedmineCache should only keep user and password, rights on project must be checked on each access.

Best regards,
Jean

I modified Remdine.pm file with this:
Remove code between line 310 and 313:

  if ($cfg->{RedmineCacheCredsMax}) {
    $usrprojpass = $cfg->{RedmineCacheCreds}->get($redmine_user.":".$project_id);
    return 1 if (defined $usrprojpass and ($usrprojpass eq $pass_digest));
  }

Remove line 327 and 341:

 my $method = $r->method;

Insert modified code at line 319:

while (my ($hashed_password, $auth_source_id, $permissions) = $sth->fetchrow_array) {
     my $method = $r->method;
     if ($cfg->{RedmineCacheCredsMax}) {
         $usrprojpass = $cfg->{RedmineCacheCreds}->get($redmine_user.":".$project_id);
         return 1 if ((defined $usrprojpass and ($usrprojpass eq $pass_digest)) && ((defined $read_only_methods{$method} && $permissions =~ /:browse_repository/) || $permissions =~ /:commit_access/));
     }
     unless ($auth_source_id) {
     my $method = $r->method;

This will check user permission even if password is not verified for each action.

Hey Jean,

i tried to change the Redmine.pm.
But somewhere i have an fault because the apache will not start. No error in logfile.

Plz upload the diff.

Best regards,
Hans

Felix, plz don't close the ticket as long as there is no complete solution (diff). We tried to rebuild the "description" and afterwards the apache dopn't even start.
The Bug is still here, or can anybody provide a tested diff?

Felix Schäfer wrote:

Thanks for the feedback Jean.

Could you please open a new issue for this, and provide a diff rather than a "description" of the cahnges. Thanks!

Terence Mill wrote:

Felix, plz don't close the ticket as long as there is no complete solution (diff). We tried to rebuild the "description" and afterwards the apache dopn't even start.
The Bug is still here, or can anybody provide a tested diff?

The originally reported bug is fixed in current redmine. If you have found other problems, for example with the permission handling when using credential caching, then please open a new issue.

You say its fixed .. but in which version? I thought that the redmine.pm is no part of the core, moreover a deeper svn integration Patch.

We had orginally an svn check-in performance problem without the cache, cause for every folder the rights are checked again.
We will give it a try with the cache enabled now, an hope that will fix the perfoemance issue.

Terence Mill wrote:

You say its fixed .. but in which version? I thought that the redmine.pm is no part of the core, moreover a deeper svn integration Patch.

*HINT* The originally reported issue being Redmine.pm not always respecting read and/or commit accesses correctly has been fixed in the 2 last commits listed there. And Redmine.pm is part of core, though probably not the part getting the most love in it. As I have already said twice, if there is a problem with the caching mechanism, open a new issue.

We had orginally an svn check-in performance problem without the cache, cause for every folder the rights are checked again.
We will give it a try with the cache enabled now, an hope that will fix the perfoemance issue.

Try adding SVNPathAuthz off to the Location block in your apache config, this will basically only check permissions on the first level, i.e. repository level, which is enough because redmine doesn't provide finer-grained permissions.

Ok, i understood. Tx for exercising patience ;)