Affects Version/s: 1.9.7, 1.10.0-alpha3
Fix Version/s: None
Environment:Linux thorstenknbl1 4.9.78-040978- generic #201801231931 SMP Tue Jan 23 19:32:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux httpd 2.4.29 [14:15:05][tkrah@thorstenknbl1:~/Development/src/subversion] $ svn info Pfad: . Wurzelpfad der Arbeitskopie: /home/tkrah/Development/src/subversion URL: https: //svn.apache.org/repos/asf/subversion/trunk Relative URL: ^/subversion/trunk Basis des Projektarchivs: https: //svn.apache.org/repos/asf UUID des Projektarchivs: 13f79535-47bb-0310-9956-ffa450edef68 Revision: 1821650 Knotentyp: Verzeichnis Plan: normal Letzter Autor: julianfoad Letzte geänderte Rev: 1821621 Letztes Änderungsdatum: 2018-01-19 12:29:49 +0100 (Fr, 19. Jan 2018)
this is the bug report discussed already on the user list threads here:
and on the dev list here:
In short this is the recipe:
If you use a lua module to authenticate you're users done via:
- Use the repo from the already existent test suite and configure a location like that:
- The authz file just contains:
- The auth.lua hook authcheck_hook does read like that:
mod_authz_svn fails to authorize the users which should have access to the repository.
There are 2 main reasons imho:
- mod_authz_svn does expect an AuthType to be set which is not needed when doing authentication via mod_lua - so this assumption should be removed from the code - see notes below if it is a good idea to check that at all. But even if AuthType is set it will fail on the next assumption.
- It does expect an Authorization header to guess if the user wants to authenticate to let the request continue on the request stack to actually reach the configured lua handler which does set the user to the request - but this is imho also wrong. This assumption does only hold to basic authentication - which is not done here. Arbitrary authentication may be implemented in the lua hook - so mod_authz_svn should not make any assumptions about that header existence either.
AuthType seems to be used to determine if auth is configured at all - seems to be not the correct check in any usecase.
Also have a look at:
where i asked on the httpd list how this check if auth is configured at all could be done - there are ways but like Eric Covener said there:
So the code should not rely on that check at all it seems.
Something off-topic maybe:
Using the same lua handler to authenticate other locations - e.g. to show a directory index or some static html files served by httpd does work - so i would expect that mod_authz_svn should work too here.