[Patch?] Browse private repositories without supplying login and password

Added by Anthony Paul almost 10 years ago

Hello all,

I'm using Redmine 0.9.3 on Debian testing (from packages), with MySQL, Apache (w/ Redmine.pm and Passenger) and SVN repositories.

When I'm creating a public project, I can browse the repository flawlessly.
However, I can't browse repositories of "private" projects, even when I'm logged in Redmine as the manager of this project.
If I want to browse it, I have to supply my login and password in the Settings/Repository tab. Is it the normal behaviour?

It's a little annoying since it could seem strange to users to supply their password, and I noticed it was stored in plain text in the MySQL database (repositories table).

Why the subversion_adapter.rb script can't get the login/password of the currently logged user?

Thanks for your help!

Replies (7)

RE: [Patch?] Browse private repositories without supplying login and password - Added by Felix Schäfer almost 10 years ago

Redmine doesn't use the credentials of the logged in user, especially because redmine only knows about the hash of the password, not the password itself. See Repositories_access_control_with_apache_mod_dav_svn_and_mod_perl to see how to configure apache to allow read access to the svn repositories without authentication from the server on which redmine is installed. You might also prefer to use the file:// schema instead of http:// access if both are on the same server.

RE: [Patch?] Browse private repositories without supplying login and password - Added by Anthony Paul almost 10 years ago

Thanks for your prompt reply.

I figured out why

subversion_adapter.rb
can't get the password when I tried to change its code (I forgot only the hash was stored).

I read this HowTo several times (and I used it for my set up), but I think it only allows anonymous browsing of public repositories, not private ones. And having a look at Redmine.pm, it seems it manages only public projects (though I'm easily lost in Perl code...).

Maybe there is an obvious error in my config, so here it is:

Apache
<VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile ...
        SSLCertificateKeyFile ...
        SSLCACertificateFile ...
        DefaultInitEnv X_DEBIAN_SITEID "default" 

        ServerName my_server:443

        DocumentRoot /usr/share/redmine/public/
        LogLevel debug
        ErrorLog /var/log/redmine/default/error.log

        <Directory /usr/share/redmine/public/>
                Options Indexes ExecCGI FollowSymlinks
                Order allow,deny
                Allow from all
                AllowOverride all
        </Directory>

PerlLoadModule Apache::Redmine
PerlLoadModule Authen::Simple::LDAP
<Location /svn>
        DAV svn
        SVNParentPath "/path/to/svn" 
        Satisfy any

        PerlAccessHandler Apache::Authn::Redmine::access_handler
        PerlAccessHandler Apache::Authn::Redmine::authen_handler
        AuthType Basic
        AuthName "SVN Repository" 
        AuthBasicAuthoritative off

        <Limit GET PROPFIND OPTIONS REPORT>
                Require valid-user
                Allow from all
                Satisfy any
        </Limit>
        <LimitExcept GET PROPFIND OPTIONS REPORT>
                Require valid-user
        </LimitExcept>

        RedmineDSN "DBI:mysql:database=redmine_db;host=localhost" 
        RedmineDbUser "redmine_db" 
        RedmineDbPass "redmine_pw" 
</Location>
</VirtualHost>

I also modified

subversion_adapter.rb
to add the
--trust-server-cert
option of SVN since I use HTTPS

Using google, I could find one patch which seems to do something similar, but I didn't tried it, and since it disappeared from the Redmine tracker, I think it's a bad idea to use it... http://www.redmine.org/attachments/2179/no-need-for-svn-private.diff

Once again, thanks for your help.

RE: [Patch?] Browse private repositories without supplying login and password - Added by Felix Schäfer almost 10 years ago

  1. you can kill the --trust-server-cert by logging in as the server running redmine and connecting to the repository with svn and accepting the certificate permanently,
  2. try Allow from so.me.i.p instead of all, as that is the part that should enable redmine to connect read-only to the svn repos (and I'm not sure apache reads the allow from all part for satisfy any), redmine.pm shouldn't even get asked for anything in this scenario.

RE: [Patch?] Browse private repositories without supplying login and password - Added by Anthony Paul almost 10 years ago

Yes, actually I was running with an accepted certificate (www-data user under Debian) before I upgraded subversion. --trust-server-cert wasn't available with svn < 1.6, but now I'm using this option since I thought it was more "clean". Nevertheless, I could get back to my ex-config, but I had the same problem about repositories.

Thank you for the tip, I didn't know there could be troubles between "satisfy any" and "Allow from all". But here again, "Allow from all" is the result of multiple testings. I'm back to my "allow from 11.22.33.44". I even tried "allow from 11.22.33.44 127.0.0.1".

By the way, do you think this feature (browsing private repos without providing extra login/password) is available?

I tried many "tips", such like:

# svn list https://mysvnserver.fr/svn/test3 --non-interactive --trust-server-cert --no-auth-cache --xml

which returns:
<?xml version="1.0"?>
<lists>
<list
   path="https://mysvnserver.fr/svn/test3">
svn: OPTIONS de 'https://mysvnserver.fr/svn/test3': Échec à l'autorisation : Could not authenticate to server: rejected Basic challenge (https://mysvnserver.fr)

I tried it with and without the SSL config.

If I try to remove some limitations like:

        <Limit GET PROPFIND OPTIONS REPORT>
                Require valid-user
                Allow from all
                Satisfy any
        </Limit>

changed into
        <Limit GET PROPFIND OPTIONS REPORT>
                Allow from all
        </Limit>

I have an unexpected error delivered by Redmine.pm complaining

[error] access to /svn/test3 failed for 11.22.33.44, reason: No authentication has been configured

Otherwise (with normal conf) I get this:

svn: OPTIONS of 'https://mysvnserver.fr/svn/test3': authorization failed: Could not
 authenticate to server: rejected Basic challenge

If this feature is not available, I think it would be interesting if Redmine (or SVN?) always accept to read repositories, then display it or not depending on the logged user.

The problem by now is that I don't know if my config is wrong or if this feature isn't implemented...

RE: [Patch?] Browse private repositories without supplying login and password - Added by Felix Schäfer almost 10 years ago

I'd suggest you submit a bug as redmine.pm is shipped with redmine.

RE: [Patch?] Browse private repositories without supplying login and password - Added by Anthony Paul almost 10 years ago

OK, thank you very much for your time and your help, Felix.
I've just reported a bug (or feature request) here: http://www.redmine.org/issues/5236

Thanks again!

RE: [Patch?] Browse private repositories without supplying login and password - Added by Anthony Paul almost 10 years ago

Just to let you know that I've submitted a small patch for this here: http://www.redmine.org/issues/5236
Please let me know if you have any suggestion.

(1-7/7)