Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save jiangxin/5263271 to your computer and use it in GitHub Desktop.
Save jiangxin/5263271 to your computer and use it in GitHub Desktop.
[PATCH] Do not check project permissions for svn redmine binding
This module is based on a wrong assumption: repository has the same name
with it's project. So it's wrong to check user permissions in project.
We only use this module for authn checking, and use subversion's own
path based authz instead.
Signed-off-by: Jiang Xin <worldhello.net@gmail.com>
---
extra/svn/Redmine.pm | 39 ++++++++++++---------------------------
1 file changed, 12 insertions(+), 27 deletions(-)
diff --git a/extra/svn/Redmine.pm b/extra/svn/Redmine.pm
index fbaf177..ec6b6e5 100644
--- a/extra/svn/Redmine.pm
+++ b/extra/svn/Redmine.pm
@@ -157,17 +157,11 @@ sub RedmineDSN {
my ($self, $parms, $arg) = @_;
$self->{RedmineDSN} = $arg;
my $query = "SELECT
- hashed_password, salt, auth_source_id, permissions
- FROM projects, users, roles
+ hashed_password, salt, auth_source_id
+ FROM users
WHERE
users.login=?
- AND projects.identifier=?
- AND users.status=1
- AND (
- roles.id IN (SELECT member_roles.role_id FROM members, member_roles WHERE members.user_id = users.id AND members.project_id = projects.id AND members.id = member_roles.member_id)
- OR
- (roles.builtin=1 AND cast(projects.is_public as CHAR) IN ('t', '1'))
- ) ";
+ AND users.status=1";
$self->{RedmineQuery} = trim($query);
}
@@ -212,14 +206,6 @@ sub access_handler {
return FORBIDDEN;
}
- my $method = $r->method;
- return OK unless defined $read_only_methods{$method};
-
- my $project_id = get_project_identifier($r);
-
- $r->set_handlers(PerlAuthenHandler => [\&OK])
- if is_public_project($project_id, $r) && anonymous_role_allows_browse_repository($r);
-
return OK
}
@@ -229,7 +215,7 @@ sub authen_handler {
my ($res, $redmine_pass) = $r->get_basic_auth_pw();
return $res unless $res == OK;
- if (is_member($r->user, $redmine_pass, $r)) {
+ if (do_authn($r->user, $redmine_pass, $r)) {
return OK;
} else {
$r->note_auth_failure();
@@ -328,13 +314,12 @@ sub anonymous_role_allows_browse_repository {
# return 1 if (stat($repos_path))[2] & 00007;
# }
-sub is_member {
+sub do_authn {
my $redmine_user = shift;
my $redmine_pass = shift;
my $r = shift;
my $dbh = connect_database($r);
- my $project_id = get_project_identifier($r);
my $pass_digest = Digest::SHA::sha1_hex($redmine_pass);
@@ -343,20 +328,20 @@ sub is_member {
my $cfg = Apache2::Module::get_config(__PACKAGE__, $r->server, $r->per_dir_config);
my $usrprojpass;
if ($cfg->{RedmineCacheCredsMax}) {
- $usrprojpass = $cfg->{RedmineCacheCreds}->get($redmine_user.":".$project_id.":".$access_mode);
+ $usrprojpass = $cfg->{RedmineCacheCreds}->get($redmine_user.":".$access_mode);
return 1 if (defined $usrprojpass and ($usrprojpass eq $pass_digest));
}
my $query = $cfg->{RedmineQuery};
my $sth = $dbh->prepare($query);
- $sth->execute($redmine_user, $project_id);
+ $sth->execute($redmine_user);
my $ret;
- while (my ($hashed_password, $salt, $auth_source_id, $permissions) = $sth->fetchrow_array) {
+ while (my ($hashed_password, $salt, $auth_source_id) = $sth->fetchrow_array) {
unless ($auth_source_id) {
my $method = $r->method;
my $salted_password = Digest::SHA::sha1_hex($salt.$pass_digest);
- if ($hashed_password eq $salted_password && (($access_mode eq "R" && $permissions =~ /:browse_repository/) || $permissions =~ /:commit_access/) ) {
+ if ($hashed_password eq $salted_password) {
$ret = 1;
last;
}
@@ -382,7 +367,7 @@ sub is_member {
filter => "(".$rowldap[6]."=%s)"
);
my $method = $r->method;
- $ret = 1 if ($ldap->authenticate($redmine_user, $redmine_pass) && (($access_mode eq "R" && $permissions =~ /:browse_repository/) || $permissions =~ /:commit_access/));
+ $ret = 1 if ($ldap->authenticate($redmine_user, $redmine_pass));
}
$sthldap->finish();
@@ -396,10 +381,10 @@ sub is_member {
if ($cfg->{RedmineCacheCredsMax} and $ret) {
if (defined $usrprojpass) {
- $cfg->{RedmineCacheCreds}->set($redmine_user.":".$project_id.":".$access_mode, $pass_digest);
+ $cfg->{RedmineCacheCreds}->set($redmine_user.":".$access_mode, $pass_digest);
} else {
if ($cfg->{RedmineCacheCredsCount} < $cfg->{RedmineCacheCredsMax}) {
- $cfg->{RedmineCacheCreds}->set($redmine_user.":".$project_id.":".$access_mode, $pass_digest);
+ $cfg->{RedmineCacheCreds}->set($redmine_user.":".$access_mode, $pass_digest);
$cfg->{RedmineCacheCredsCount}++;
} else {
$cfg->{RedmineCacheCreds}->clear();
--
1.8.2.61.g7b9a419
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment