trac, subversion authz file not respected !

[jehanproc]

I just installed trac from yum install (rpm package from fedora 5)
I issued
$ trac-admin /usr/local/tracdb/s2ia initenv
Project Name [My Project]> s2ia
Database connection string [sqlite:db/trac.db]>
Repository type [svn]>
Path to repository [/path/to/repos]> /var/www/svnweb/repos/s2ia
Templates directory [/usr/share/trac/templates]>

My problem is that when I access my svn project with a browser
pointing to the root of the repository with
http://..../cgi-bin/trac.cgi/browser/ I have access to all projects,
even those that have forbiden access to anyone with my
/var/www/svnweb/conf/authz file containing for example
[s2ia:/project]
user1 = rw
* =
And I'am not logged in trac !

Any idea of what is wrong ?
Thanks

[Noah Kantrowitz]

You need to configure the path to the authz file in trac.ini. In
[trac] you want 'authz_file = /var/www/svnweb/conf/authz".

--Noah

[Jehan PROCACCIA]

good idea ! , so I just did that
[trac]
authz_file = /var/www/svnweb/repos/conf/authz

but no way, I can still browse all directories :-(

[Rainer Sokoll]

On Thu, Oct 12, 2006 at 10:17:55AM +0200, Jehan PROCACCIA wrote:
>
> good idea ! , so I just did that
> [trac]
> authz_file = /var/www/svnweb/repos/conf/authz
>
> but no way, I can still browse all directories :-(

Did you SIGHUP your webserver/tracd?

Rainer

[Jehan PROCACCIA]

of course, I did
$ /etc/init.d/httpd restart
> Rainer
>
> >
>

[Rainer Sokoll]

On Thu, Oct 12, 2006 at 12:03:38PM +0200, Jehan PROCACCIA wrote:

> of course, I did
> $ /etc/init.d/httpd restart

Please triple check the values of AuthzSVNAccessFile in your webserver's
config against the value of authz_file in trac.ini. They must match.
Also, you may enable debugging in your trac-env.

Rainer

[Jehan PROCACCIA]

I have in apache:
<Location /repos>
DAV svn
SVNParentPath /var/www/svnweb/repos
AuthzSVNAccessFile /var/www/svnweb/repos/conf/authz

in trac.ini
[trac]
authz_file = /var/www/svnweb/repos/conf/authz

however, I must recall from my first mail that I "build" the trac
environement like this

I issued
$ trac-admin /usr/local/tracdb/s2ia initenv
Project Name [My Project]> s2ia
Database connection string [sqlite:db/trac.db]>
Repository type [svn]>
Path to repository [/path/to/repos]> /var/www/svnweb/repos/s2ia
Templates directory [/usr/share/trac/templates]>

I had to specify one of my repos (/var/www/svnweb/repos/s2ia) because I
couldn't do it a the root of all repos (/var/www/svnweb/repos/) :-( ->
trac-admin said that there's no repo at that path ...
Anyway, svnserve.conf file fore repo s2ia, do contain a reference to the
unique authz file for all my repos:
[root@share /var/www/svnweb/repos/s2ia/conf]
$ grep authz svnserve.conf
authz-db = /var/www/svnweb/repos/conf/authz

Is it possible that the problem comes from the fact that I point to an
authz file which is outsite the s2ia repos on which I build trac
environement ?
Can I build a trac environement at the root of all my repos
(/var/www/svnweb/repos/) so that there only one trac config for all of
them ?
Thanks.

PS: my central authz file works fine with authz_svn_module and svnview !

[Rainer Sokoll]

On Thu, Oct 12, 2006 at 01:18:17PM +0200, Jehan PROCACCIA wrote:

> I have in apache:
> <Location /repos>
> DAV svn
> SVNParentPath /var/www/svnweb/repos
> AuthzSVNAccessFile /var/www/svnweb/repos/conf/authz
>
> in trac.ini
> [trac]
> authz_file = /var/www/svnweb/repos/conf/authz

I would move authz to somewhere outside the svn path.

Rainer

[Jehan PROCACCIA]

OK, you're right it shouldn't be here, so I moved it to
/var/www/svnweb/authz and all my references to it, but that doesn't
change anything to my pb that tracs doesn't honor it :-(
> >
>

[Matt Good]

jehanproc wrote:
> [s2ia:/project]
> user1 = rw
> * =

Since you have multiple projects in the authz file you also need to set
"authz_module_name" in trac.ini to "s2ia" for that project.

-- Matt Good

[Jehan PROCACCIA]

I found the problem

My "central" authz file contains "absolute path" authorization definitions:

[s2ia:/procacci]
procacci = rw
* =

[eph:/commun]
@eph = rw
* =

but my trac initenv refers to a specific repository (here s2ia), so
apparently there's no need to precise the repository name before each
sub-directories as I did
[s2ia:/procacci], instead if I set [/procacci] then acces control is
applied as I set it !
So my authz file was well read by trac, the problem is the content of
that authz file .
Now , is it possible to tell trac to manage different repositories .
Here under /var/www/svnweb/repos I've got repos/s2ia and repos/eph, is
it possible to have only one trac environement for both repositories ?
If not, how can I centralize my authz file for both, I don't want to
manage a authz file for svnserve and an other one for trac !.

Thanks .

[Jehan PROCACCIA]

Very good ,that was it ! (I just post a similar conclusion, but without
the solution ... thanks !)
now that I set
[trac]
authz_file = /var/www/svnweb/authz
authz_module_name = s2ia

[s2ia:/project] is now well honored !

Now , is it possible to have only one trac environenment for all my repositories
or should I repeat in apache conf X times that definition for my X repositories :
<LocationMatch /cgi-bin/trac\.f?cgi>
SetEnv TRAC_ENV /usr/local/tracdb/s2ia
</LocationMatch>

Thanks.

> >
>