https://www.redmine.org/https://www.redmine.org/favicon.ico?16793021292009-02-05T08:04:09ZRedmineRedmine - Feature #2647: Repository browsing shall respect ACLs in repositoryhttps://www.redmine.org/issues/2647?journal_id=71322009-02-05T08:04:09ZThomas Pihl
<ul></ul><p>Sounds interesting. Any chance you could add a patch here for us to see? I can see good use for this (also with subversion in current case).</p>
<p>/T</p> Redmine - Feature #2647: Repository browsing shall respect ACLs in repositoryhttps://www.redmine.org/issues/2647?journal_id=71562009-02-05T17:44:46ZMathias Kühn
<ul><li><strong>File</strong> <a href="/attachments/1492">repository_auth.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/1492/repository_auth.patch">repository_auth.patch</a> added</li></ul><p>Hi, here's the patch. Actually it works the following way. In addition to provide just the username<br />and password for repository access, an authentication method can be chosen. </p>
<ul>
<li>Use Username/Password: That's the current implementation</li>
<li>Use current users name: Pass the name of the current user as username and the securitytoken as password.</li>
<li>Use current users role: Use current users role in the project as username and the securitytoken as password.</li>
</ul>
<p>On the server side, the Redmine.pm script has been extended to provide additional handlers <br /><pre>
PerlAccessHandler Apache::Authn::Redmine::redmine_access_handler
PerlAuthenHandler Apache::Authn::Redmine::redmine_authen_handler
</pre><br />which take the provided username and allow access. If the optional parameter <strong>RedmineSecurityToken</strong> is provided,<br />it must match the security token provided by the client, otherwise the authentication attempt is rejected.</p>
<p>The following example shows an example config providing a public access to subversion as already shown and<br />the secured private access point for redmines repository browser:<br /><pre>
<VirtualHost *>
PerlLoadModule Apache::Authn::Redmine
<Location /svn>
DAV svn
SVNParentPath "/srv/svn"
AuthzSVNAccessFile "/srv/svn/.authz"
AuthType Basic
AuthName "Repository"
Require valid-user
PerlAccessHandler Apache::Authn::Redmine::access_handler
PerlAuthenHandler Apache::Authn::Redmine::authen_handler
RedmineDSN DBI:mysql:database=redmine;host=127.0.0.1
RedmineDbUser root
RedmineDbPass root
</Location>
<Location /svn-redmine>
DAV svn
SVNParentPath "/srv/svn"
AuthzSVNAccessFile "/srv/svn/.authz"
Order deny,allow
Deny from all
AuthType Basic
AuthName "Private Repository"
Require valid-user
PerlAccessHandler Apache::Authn::Redmine::redmine_access_handler
PerlAuthenHandler Apache::Authn::Redmine::redmine_authen_handler
RedmineDSN DBI:mysql:database=redmine;host=127.0.0.1
RedmineDbUser root
RedmineDbPass root
RedmineSecurityToken secureThing
<Limit GET PROPFIND OPTIONS REPORT>
Allow from localhost
</Limit>
</Location>
DocumentRoot /srv/redmine/public
ServerName subversion.internal.lan
ServerAdmin admin@internal.lan
<Directory /srv/redmine/public>
AllowOverride None
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
</pre></p> Redmine - Feature #2647: Repository browsing shall respect ACLs in repositoryhttps://www.redmine.org/issues/2647?journal_id=75202009-02-21T12:28:45ZJean-Philippe Langjp_lang@yahoo.fr
<ul><li><strong>Category</strong> set to <i>SCM</i></li></ul> Redmine - Feature #2647: Repository browsing shall respect ACLs in repositoryhttps://www.redmine.org/issues/2647?journal_id=86732009-04-17T01:47:17ZKiall Mac Innes
<ul></ul><p>I would love to see this committed!</p>
<p>but... being able to admin the authz file from within redmine would be great addition as well...</p> Redmine - Feature #2647: Repository browsing shall respect ACLs in repositoryhttps://www.redmine.org/issues/2647?journal_id=112522009-10-04T21:55:40ZLluís Vilanova
<ul></ul><p>Duplicates <a class="issue tracker-2 status-1 priority-5 priority-high2" title="Feature: Different repository access rights for different users (New)" href="https://www.redmine.org/issues/2315">#2315</a>.</p>
<p>This would mostly eliminate the need for specifying a username/passowrd in the project settings (solving as a side effect <a class="issue tracker-2 status-5 priority-5 priority-high2 closed" title="Feature: Scramble passwords in database table "Repositories" (Closed)" href="https://www.redmine.org/issues/2034">#2034</a>), which is the main reason why I'm using a <code>file:///</code> URL.</p> Redmine - Feature #2647: Repository browsing shall respect ACLs in repositoryhttps://www.redmine.org/issues/2647?journal_id=117542009-11-02T16:45:42ZNikita Pustovoytov
<ul></ul><p>Lluís Vilanova wrote:</p>
<blockquote>
<p>Duplicates <a class="issue tracker-2 status-1 priority-5 priority-high2" title="Feature: Different repository access rights for different users (New)" href="https://www.redmine.org/issues/2315">#2315</a>.</p>
<p>This would mostly eliminate the need for specifying a username/passowrd in the project settings (solving as a side effect <a class="issue tracker-2 status-5 priority-5 priority-high2 closed" title="Feature: Scramble passwords in database table "Repositories" (Closed)" href="https://www.redmine.org/issues/2034">#2034</a>), which is the main reason why I'm using a <code>file:///</code> URL.</p>
</blockquote>
<p>Maybe I'm not very familiar with SVN, but where can I get security token? I'm using pure Collabnet Subversion without Apache and it is impossible to install Apache along with SVN. Some repos use path-based authentification to restrict some users. So this patch is very important for me. But how can I get the token??</p> Redmine - Feature #2647: Repository browsing shall respect ACLs in repositoryhttps://www.redmine.org/issues/2647?journal_id=272482011-03-29T04:32:24ZToshi MARUYAMA
<ul><li><strong>Category</strong> changed from <i>SCM</i> to <i>SCM extra</i></li></ul> Redmine - Feature #2647: Repository browsing shall respect ACLs in repositoryhttps://www.redmine.org/issues/2647?journal_id=321302011-09-10T02:20:46ZRobert Rath
<ul><li><strong>File</strong> <a href="/attachments/6529">repository_auth.7077.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/6529/repository_auth.7077.patch">repository_auth.7077.patch</a> added</li></ul><p>This patch is still relevant and necessary when doing fine grain subversion access control managed by Apache.</p>
<p>Added update patch against current stable branch 1.2-stable ( revision 7077 )</p>
<p>... Robert</p> Redmine - Feature #2647: Repository browsing shall respect ACLs in repositoryhttps://www.redmine.org/issues/2647?journal_id=371402012-04-01T11:04:16ZRobert Rath
<ul><li><strong>File</strong> <a href="/attachments/7402">redmine-1.3-9291_repository_auth.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/7402/redmine-1.3-9291_repository_auth.patch">redmine-1.3-9291_repository_auth.patch</a> added</li></ul><p>This patch is still relevant and necessary when doing fine grain subversion access control managed by Apache in redmine-1.3-stable.</p>
<p>Added update patch against current stable branch 1.3-stable ( revision 9291 )</p>
<p>... Robert</p> Redmine - Feature #2647: Repository browsing shall respect ACLs in repositoryhttps://www.redmine.org/issues/2647?journal_id=376152012-04-23T07:49:15ZPramod kumbhar
<ul></ul><p>Robert Rath wrote:</p>
<blockquote>
<p>This patch is still relevant and necessary when doing fine grain subversion access control managed by Apache in redmine-1.3-stable.</p>
<p>Added update patch against current stable branch 1.3-stable ( revision 9291 )</p>
<p>... Robert</p>
</blockquote>
<p>Robert, Can you please produce patch for current release i.e. 1.4.1? I tried to use your patch but failed.</p>
<p>Thanks!</p> Redmine - Feature #2647: Repository browsing shall respect ACLs in repositoryhttps://www.redmine.org/issues/2647?journal_id=515382013-09-03T05:39:47ZRobert Rath
<ul></ul><p>My patch against Redmine 1.3 <a class="changeset" title="fix source indents of app/views/repositories/revisions.html.erb" href="https://www.redmine.org/projects/redmine/repository/svn/revisions/9291">r9291</a> was missing a db/migrate file which prevented the patch from working.</p>
<p>Here is a a copy of the missing file's contents './db/migrate/109_add_special_repository_security.rb'</p>
<pre>
class AddSpecialRepositorySecurity < ActiveRecord::Migration
def self.down
remove_column :repositories, :login_method
remove_column :repositories, :security_token
end
def self.up
add_column :repositories, :login_method, :int, :default => 0, :null => true
add_column :repositories, :security_token, :string, :limit => 60, :default => "", :null => true
end
end
</pre> Redmine - Feature #2647: Repository browsing shall respect ACLs in repositoryhttps://www.redmine.org/issues/2647?journal_id=515392013-09-03T05:45:59ZRobert Rath
<ul><li><strong>File</strong> <a href="/attachments/10403">redmine-2.3-12119_repository_auth.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/10403/redmine-2.3-12119_repository_auth.patch">redmine-2.3-12119_repository_auth.patch</a> added</li></ul><p>This patch is still relevant and necessary when doing fine grain subversion access control managed by Apache in redmine-2.3-stable.</p>
<p>Added update patch against current stable branch 2.3-stable ( revision 12119 )</p>
<p>... Robert</p> Redmine - Feature #2647: Repository browsing shall respect ACLs in repositoryhttps://www.redmine.org/issues/2647?journal_id=515732013-09-04T04:24:45ZRobert Rath
<ul><li><strong>File</strong> <a href="/attachments/10407">redmine-2.3-12119_repository_auth-2.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/10407/redmine-2.3-12119_repository_auth-2.patch">redmine-2.3-12119_repository_auth-2.patch</a> added</li></ul><p>My updated 2.3 patch fell prey to the new 'safe_attributes' feature which protects the database against changes not defined in the model.<br />I have provided a new update patch which correctly allows edits of the new security fields.</p>
<p>... Robert Rath</p> Redmine - Feature #2647: Repository browsing shall respect ACLs in repositoryhttps://www.redmine.org/issues/2647?journal_id=515982013-09-04T21:03:59ZTilo Mey
<ul></ul><p>This doesn't work with redmine and subversion on different servers, even with mysql-DB-acces, does it?<br />Background: if running on the same server, the project-admins have acces to ALL repos via file:// via redmine :(</p> Redmine - Feature #2647: Repository browsing shall respect ACLs in repositoryhttps://www.redmine.org/issues/2647?journal_id=515992013-09-05T01:24:47ZRobert Rath
<ul></ul><p>Tilo Mey wrote:</p>
<blockquote>
<p>This doesn't work with redmine and subversion on different servers, even with mysql-DB-acces, does it?<br />Background: if running on the same server, the project-admins have acces to ALL repos via file:// via redmine :(</p>
</blockquote>
<p>Hi Tilo,</p>
<p>I use this all the time with external subversion servers via HTTPS urls, in fact the only reason the security model works is through the Apache2 authz module.<br />I also run some servers with all services locally as well but for these project-admin security is no issue.</p>
<p>Local file system assess as you described bypasses it all as you point out. Perhaps one way around this is to use file system permissions to block filesystem access and then Apache to serve SVN back to Redmine to control the security. This may not be possible however with Apache2 serving Redmine as they need to share the same user account. You could use a different service for Redmine, ie webbrick and Apache2 on a different port for SVN. This way these services can run under different user accounts which will prevent Redmine direct file system access to svn. You could also use obscurity and place the SVN files in a very hard to guess location on the filesystem (poor security).</p>
<p>Or just put Redmine and SVN on different servers. If you use virtual machines this solution will be the simplest.</p>
<p>...Robert</p>
<p>edit...</p>
<p>In all cases to implement this fine grained authz security you need the pearl module installed and configured for Apache2 on the remote subversion server. This is a problem for accessing third party servers. It may be possible to work around this by using a local Apache2 proxy but you would have to implement some form of local caching of credentials to be presented to the remote server which may or may not be acceptable.</p> Redmine - Feature #2647: Repository browsing shall respect ACLs in repositoryhttps://www.redmine.org/issues/2647?journal_id=527802013-10-24T12:55:26ZDaniel Hger
<ul></ul><p>Hi Robert,<br />Im getting internal error on Redmine 2.3.3 while loading the add-svn-repo site.</p>
<p>Log:</p>
<p>Completed 500 Internal Server Error in 113ms</p>
<p>ActionView::Template::Error (undefined method `login_method' for #<Repository::Subversion:0x007f60bc9d3860>):<br /> 17: <% button_disabled = true <span>><br /> 18: <</span> if <a class="user active" href="https://www.redmine.org/users/159232">Jack Zheng</a> <span>><br /> 19: <</span> button_disabled = ! @repository.class.scm_available <span>><br /> 20: <</span>= repository_field_tags(f, <a class="user active" href="https://www.redmine.org/users/159232">Jack Zheng</a>)%><br /> 21: <% end %><br /> 22: </div><br /> 23: <br /> lib/redmine/views/labelled_form_builder.rb:34:in `select'<br /> app/helpers/repositories_helper.rb:164:in `subversion_field_tags'<br /> app/helpers/repositories_helper.rb:126:in `repository_field_tags'<br /> app/views/repositories/_form.html.erb:20:in `_app_views_repositories__form_html_erb__3600649647781905487_33101280'<br /> app/views/repositories/new.html.erb:4:in `block in <em>app_views_repositories_new_html_erb</em>__1890930613153873159_32704720'<br /> app/helpers/application_helper.rb:948:in `labelled_form_for'<br /> app/views/repositories/new.html.erb:3:in `_app_views_repositories_new_html_erb___1890930613153873159_32704720'</p>
<p>Btw: is it possible to add this patch to the official redmine version?</p> Redmine - Feature #2647: Repository browsing shall respect ACLs in repositoryhttps://www.redmine.org/issues/2647?journal_id=528732013-10-30T13:26:51ZRobert Rath
<ul></ul><p>Daniel Hger wrote:</p>
<blockquote>
<p>Hi Robert,<br />Im getting internal error on Redmine 2.3.3 while loading the add-svn-repo site.</p>
<p>Log:</p>
<p>Completed 500 Internal Server Error in 113ms</p>
<p>ActionView::Template::Error (undefined method `login_method' for #<Repository::Subversion:0x007f60bc9d3860>):<br />17: <% button_disabled = true <span>><br />18: <</span> if <a class="user active" href="https://www.redmine.org/users/159232">Jack Zheng</a> <span>><br />19: <</span> button_disabled = ! @repository.class.scm_available <span>><br />20: <</span>= repository_field_tags(f, <a class="user active" href="https://www.redmine.org/users/159232">Jack Zheng</a>)%><br />21: <% end %><br />22: </div><br />23: <br />lib/redmine/views/labelled_form_builder.rb:34:in `select'<br />app/helpers/repositories_helper.rb:164:in `subversion_field_tags'<br />app/helpers/repositories_helper.rb:126:in `repository_field_tags'<br />app/views/repositories/_form.html.erb:20:in `_app_views_repositories__form_html_erb__3600649647781905487_33101280'<br />app/views/repositories/new.html.erb:4:in `block in <em>app_views_repositories_new_html_erb</em>__1890930613153873159_32704720'<br />app/helpers/application_helper.rb:948:in `labelled_form_for'<br />app/views/repositories/new.html.erb:3:in `_app_views_repositories_new_html_erb___1890930613153873159_32704720'</p>
<p>Btw: is it possible to add this patch to the official redmine version?</p>
</blockquote>
<p>Hi Daniel,</p>
<p>My patch is specific to the official Redmine version as at 2.3 <a class="changeset" title="Merged r12118 from trunk to 2.3-stable (#14697) fix wrong Russian translation in close project m..." href="https://www.redmine.org/projects/redmine/repository/svn/revisions/12119">r12119</a>. Once the official version moves on the patch may no longer work. You may however be able to update back to <a class="changeset" title="Merged r12118 from trunk to 2.3-stable (#14697) fix wrong Russian translation in close project m..." href="https://www.redmine.org/projects/redmine/repository/svn/revisions/12119">r12119</a>, apply the patch and then update back to the latest production release.</p>
<p>When I get a free moment I will see where it stands with respect to the current Redmine release.</p>
<p>Regards,<br />Robert Rath</p> Redmine - Feature #2647: Repository browsing shall respect ACLs in repositoryhttps://www.redmine.org/issues/2647?journal_id=545722014-01-30T19:22:29ZDaniel Hger
<ul></ul><p>My error occured because i didn't applied db:migrate correctly.<br />This patch still works for Redmine v2.4.2 - just the file config/locales/en.yml changed a little bit.</p>
<p>I'm just worried about one thing: users who are not authorized to access the repository can still crawl over all revisions.<br />Redmine stores these informations in its database when the repository is accessed. <br />The goal is to prevent users who are not authorized from gaining informations about the repository.</p>
<p>edit: it is possible to achieve this via roles, but not based on the repo-rules</p> Redmine - Feature #2647: Repository browsing shall respect ACLs in repositoryhttps://www.redmine.org/issues/2647?journal_id=545742014-01-30T22:44:53ZRobert Rath
<ul></ul><p>Daniel Hger wrote:</p>
<blockquote>
<p>My error occured because i didn't applied db:migrate correctly.<br />This patch still works for Redmine v2.4.2 - just the file config/locales/en.yml changed a little bit.</p>
<p>I'm just worried about one thing: users who are not authorized to access the repository can still crawl over all revisions.<br />Redmine stores these informations in its database when the repository is accessed. <br />The goal is to prevent users who are not authorized from gaining informations about the repository.</p>
<p>edit: it is possible to achieve this via roles, but not based on the repo-rules</p>
</blockquote>
<p>Hi Daniel,</p>
<p>This patch transfers all access control of SVN to Apache's authz module. This means that in addition to setting up individual user access to SVN you have fine grained access control throughout your entire repository tree simply by setting up and editing an Apache authz file, creating groups and R/W assignments as simply or as complex as you require. Unfortunately the authz will need to be manually edited (or managed with some other tool) on the server's file system.</p>
<p>... Robert Rath</p>
<p>As I previously mentioned, this access control mechanism is intimately bound to apache. Anyone with direct access to the repository's file system can bypass it all.</p> Redmine - Feature #2647: Repository browsing shall respect ACLs in repositoryhttps://www.redmine.org/issues/2647?journal_id=559962014-04-22T13:19:14ZDaniel Hger
<ul></ul><p>The problem is that Redmine still copies the revisions into its database when a uses tries to access the repository. (Thats why the first access to a big repo needs more time, just look in the db/logs, a huge amount of data is getting stored there)</p>
<p>So someone who cant access the repo can still see the revisions (including path names, file names, actions).<br />Redmine needs the revisions stored in its db to be able to provide links to them in issues and forums.<br />We need a fix to hide the revision pages from users who cant access the repo.<br />So in the controller for this view we have to add a check if the current user can really read the information provided on the revision's page.</p>
<p>For this check we need to access the svn-repo via a querry to the apache host (with user credentials) or evaluate the rights from ./conf/authz in the svn folder (filesystem) for each file mentioned on the rev's page.</p>
<p>Both solutions are dirty, but i dont see another way...</p> Redmine - Feature #2647: Repository browsing shall respect ACLs in repositoryhttps://www.redmine.org/issues/2647?journal_id=589282014-10-01T14:06:41ZDaniel Hger
<ul></ul><p>I wrote a complete new patch which hides nearly everything from denied users.<br />In my company we use the same LDAP for Redmine and SVN, so all users have the same login.</p>
<p>Redmine has direct file access to the repository and compares ./conf/authz file for every request (which exposes svn related data) with the current user's name and the paths/files.<br />If the user is not permitted to see these paths, files, diffs, revisions, revision-info, etc. the user is redirected to an error page or the content is changed (e.g. tooltips).<br />If anyone is interested i can upload my code.</p> Redmine - Feature #2647: Repository browsing shall respect ACLs in repositoryhttps://www.redmine.org/issues/2647?journal_id=590872014-10-10T20:00:05ZKeith Johnson
<ul></ul><p>Daniel Hger wrote:</p>
<blockquote>
<p>I wrote a complete new patch which hides nearly everything from denied users.<br />In my company we use the same LDAP for Redmine and SVN, so all users have the same login.</p>
<p>Redmine has direct file access to the repository and compares ./conf/authz file for every request (which exposes svn related data) with the current user's name and the paths/files.<br />If the user is not permitted to see these paths, files, diffs, revisions, revision-info, etc. the user is redirected to an error page or the content is changed (e.g. tooltips).<br />If anyone is interested i can upload my code.</p>
</blockquote>
<p>Hi Daniel,<br />I would love to get a copy of your patches, even if they aren't perfect. We've got a project where this is necessary and it sounds like your changes are exactly what we need. If you don't want to upload them publicly my email is in my profile.</p> Redmine - Feature #2647: Repository browsing shall respect ACLs in repositoryhttps://www.redmine.org/issues/2647?journal_id=591082014-10-13T11:39:09ZDaniel Hger
<ul><li><strong>File</strong> <a href="/attachments/12455">svnpatch251_v3.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/12455/svnpatch251_v3.patch">svnpatch251_v3.patch</a> added</li></ul><p>Please let me know if you have further questions or improvements.<br />Currently every svn request is checked by svncheck. Maybe we should exclude web urls.</p> Redmine - Feature #2647: Repository browsing shall respect ACLs in repositoryhttps://www.redmine.org/issues/2647?journal_id=591092014-10-13T12:15:05ZDaniel Hger
<ul></ul><p>Repositories have to be created and first accessed by admin. Afterwards Redmine copys the repo information into its database. This process can take a very long time for huge repos. Repos in sub directories are also supported.<br />My svn repos are mounted to /opt/svn/ (e.g. /opt/svn/reponame/conf/authz).<br />Im only a student and this code still needs improvements since it was just created to fit our company.</p> Redmine - Feature #2647: Repository browsing shall respect ACLs in repositoryhttps://www.redmine.org/issues/2647?journal_id=634722015-04-30T11:45:07ZTilo Mey
<ul></ul><p>Robert Rath wrote:</p>
<blockquote>
<p>I use this all the time with external subversion servers via HTTPS urls, in fact the only reason the security model works is through the Apache2 authz module.<br />Or just put Redmine and SVN on different servers. If you use virtual machines this solution will be the simplest.</p>
<p>...Robert</p>
<p>edit...</p>
<p>In all cases to implement this fine grained authz security you need the pearl module installed and configured for Apache2 on the remote subversion server. This is a problem for accessing third party servers. It may be possible to work around this by using a local Apache2 proxy but you would have to implement some form of local caching of credentials to be presented to the remote server which may or may not be acceptable.</p>
</blockquote>
<p>I've 2 servers:<br />one vor redmine, another for svn.<br />Direct svn via https with fine granular is working fine.</p>
<p>For redmine I'm using<br />redmine-2.3-12119_repository_auth-2.patch</p>
<p>Therefore I've something like this in /etc/apache/mods-eanbled/dav_svn.conf on svn</p>
<pre>
PerlLoadModule Apache::Redmine
<Location /svn-redmine>
DAV svn
SVNPath /srv/subversion/repo
Order deny,allow
Deny from all
# only allow reading orders
AuthType Basic
AuthName redmine
Require valid-user
AuthUserFile /srv/subversion/authz
PerlAccessHandler Apache::Redmine::redmine_access_handler
PerlAuthenHandler Apache::Redmine::redmine_authen_handler
RedmineSecurityToken "redminetoken"
<Limit GET PROPFIND OPTIONS REPORT>
Allow from remine.blob.de
</Limit>
</Location>
</pre>
<p>But there is an error on svn:<br />Can't connect to data source '' because I can't work out what driver to use (it doesn't seem to contain a 'dbi:driver:' prefix and the DBI_DRIVER env var is not set) at /usr/lib/perl5/Apache/Redmine.pm line 562.</p>
<p>On the repository-seting in redmine I've choosen "Name of current user"</p>
<p>Why does the svn is needing the database-connection to redmine?</p> Redmine - Feature #2647: Repository browsing shall respect ACLs in repositoryhttps://www.redmine.org/issues/2647?journal_id=1030242021-06-29T05:36:55ZGo MAEDA
<ul><li><strong>Related to</strong> <i><a class="issue tracker-1 status-1 priority-4 priority-default" href="/issues/13484">Defect #13484</a>: restricted access folder in a redmine project</i> added</li></ul>