Created
March 28, 2013 13:52
-
-
Save jiangxin/5263271 to your computer and use it in GitHub Desktop.
[PATCH] Do not check project permissions for svn redmine binding
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| This module is based on a wrong assumption: repository has the same name | |
| with it's project. So it's wrong to check user permissions in project. | |
| We only use this module for authn checking, and use subversion's own | |
| path based authz instead. | |
| Signed-off-by: Jiang Xin <worldhello.net@gmail.com> | |
| --- | |
| extra/svn/Redmine.pm | 39 ++++++++++++--------------------------- | |
| 1 file changed, 12 insertions(+), 27 deletions(-) | |
| diff --git a/extra/svn/Redmine.pm b/extra/svn/Redmine.pm | |
| index fbaf177..ec6b6e5 100644 | |
| --- a/extra/svn/Redmine.pm | |
| +++ b/extra/svn/Redmine.pm | |
| @@ -157,17 +157,11 @@ sub RedmineDSN { | |
| my ($self, $parms, $arg) = @_; | |
| $self->{RedmineDSN} = $arg; | |
| my $query = "SELECT | |
| - hashed_password, salt, auth_source_id, permissions | |
| - FROM projects, users, roles | |
| + hashed_password, salt, auth_source_id | |
| + FROM users | |
| WHERE | |
| users.login=? | |
| - AND projects.identifier=? | |
| - AND users.status=1 | |
| - AND ( | |
| - roles.id IN (SELECT member_roles.role_id FROM members, member_roles WHERE members.user_id = users.id AND members.project_id = projects.id AND members.id = member_roles.member_id) | |
| - OR | |
| - (roles.builtin=1 AND cast(projects.is_public as CHAR) IN ('t', '1')) | |
| - ) "; | |
| + AND users.status=1"; | |
| $self->{RedmineQuery} = trim($query); | |
| } | |
| @@ -212,14 +206,6 @@ sub access_handler { | |
| return FORBIDDEN; | |
| } | |
| - my $method = $r->method; | |
| - return OK unless defined $read_only_methods{$method}; | |
| - | |
| - my $project_id = get_project_identifier($r); | |
| - | |
| - $r->set_handlers(PerlAuthenHandler => [\&OK]) | |
| - if is_public_project($project_id, $r) && anonymous_role_allows_browse_repository($r); | |
| - | |
| return OK | |
| } | |
| @@ -229,7 +215,7 @@ sub authen_handler { | |
| my ($res, $redmine_pass) = $r->get_basic_auth_pw(); | |
| return $res unless $res == OK; | |
| - if (is_member($r->user, $redmine_pass, $r)) { | |
| + if (do_authn($r->user, $redmine_pass, $r)) { | |
| return OK; | |
| } else { | |
| $r->note_auth_failure(); | |
| @@ -328,13 +314,12 @@ sub anonymous_role_allows_browse_repository { | |
| # return 1 if (stat($repos_path))[2] & 00007; | |
| # } | |
| -sub is_member { | |
| +sub do_authn { | |
| my $redmine_user = shift; | |
| my $redmine_pass = shift; | |
| my $r = shift; | |
| my $dbh = connect_database($r); | |
| - my $project_id = get_project_identifier($r); | |
| my $pass_digest = Digest::SHA::sha1_hex($redmine_pass); | |
| @@ -343,20 +328,20 @@ sub is_member { | |
| my $cfg = Apache2::Module::get_config(__PACKAGE__, $r->server, $r->per_dir_config); | |
| my $usrprojpass; | |
| if ($cfg->{RedmineCacheCredsMax}) { | |
| - $usrprojpass = $cfg->{RedmineCacheCreds}->get($redmine_user.":".$project_id.":".$access_mode); | |
| + $usrprojpass = $cfg->{RedmineCacheCreds}->get($redmine_user.":".$access_mode); | |
| return 1 if (defined $usrprojpass and ($usrprojpass eq $pass_digest)); | |
| } | |
| my $query = $cfg->{RedmineQuery}; | |
| my $sth = $dbh->prepare($query); | |
| - $sth->execute($redmine_user, $project_id); | |
| + $sth->execute($redmine_user); | |
| my $ret; | |
| - while (my ($hashed_password, $salt, $auth_source_id, $permissions) = $sth->fetchrow_array) { | |
| + while (my ($hashed_password, $salt, $auth_source_id) = $sth->fetchrow_array) { | |
| unless ($auth_source_id) { | |
| my $method = $r->method; | |
| my $salted_password = Digest::SHA::sha1_hex($salt.$pass_digest); | |
| - if ($hashed_password eq $salted_password && (($access_mode eq "R" && $permissions =~ /:browse_repository/) || $permissions =~ /:commit_access/) ) { | |
| + if ($hashed_password eq $salted_password) { | |
| $ret = 1; | |
| last; | |
| } | |
| @@ -382,7 +367,7 @@ sub is_member { | |
| filter => "(".$rowldap[6]."=%s)" | |
| ); | |
| my $method = $r->method; | |
| - $ret = 1 if ($ldap->authenticate($redmine_user, $redmine_pass) && (($access_mode eq "R" && $permissions =~ /:browse_repository/) || $permissions =~ /:commit_access/)); | |
| + $ret = 1 if ($ldap->authenticate($redmine_user, $redmine_pass)); | |
| } | |
| $sthldap->finish(); | |
| @@ -396,10 +381,10 @@ sub is_member { | |
| if ($cfg->{RedmineCacheCredsMax} and $ret) { | |
| if (defined $usrprojpass) { | |
| - $cfg->{RedmineCacheCreds}->set($redmine_user.":".$project_id.":".$access_mode, $pass_digest); | |
| + $cfg->{RedmineCacheCreds}->set($redmine_user.":".$access_mode, $pass_digest); | |
| } else { | |
| if ($cfg->{RedmineCacheCredsCount} < $cfg->{RedmineCacheCredsMax}) { | |
| - $cfg->{RedmineCacheCreds}->set($redmine_user.":".$project_id.":".$access_mode, $pass_digest); | |
| + $cfg->{RedmineCacheCreds}->set($redmine_user.":".$access_mode, $pass_digest); | |
| $cfg->{RedmineCacheCredsCount}++; | |
| } else { | |
| $cfg->{RedmineCacheCreds}->clear(); | |
| -- | |
| 1.8.2.61.g7b9a419 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment