SVN Write Authentication using Trac Permission Groups

Question

I'm starting up a small open source project and I have a repository and Trac instance running already. I installed the AccountManager plugin and I have the RegistrationModule, because I want users to be able to make accounts and submit tickets even without increased permissions (aka I want bug reports to be filed by anybody).

I've set up read access and write access only to authenticated users. Here's part of my dav_svn.conf file.

AuthType Basic
AuthName "Subversion Repository"
AuthUserFile /trac-pages/ocm/htpasswd

# To enable authorization via mod_authz_svn
#AuthzSVNAccessFile /etc/apache2/dav_svn.authz

# The following three lines allow anonymous read, but make
# committers authenticate themselves.  It requires the 'authz_user'
# module (enable it with 'a2enmod').
<LimitExcept GET PROPFIND OPTIONS REPORT>
  Require valid-user
</LimitExcept>

But if somebody uses the RegistrationModule on Trac and creates an account, then they can write to the repository without being given further permissions. I want to make it so that only users in the "authenticated" group on Trac can commit to the repository.

Answer 1

Uhm... The "authenticated" group on Trac automatically contains all users that have logged in, including everyone who just registered a new account and logged in. So it sounds like you need a way to restrict svn access to only those users with some other permission/group. (And you can create arbitrary new permissions using sample-plugins/permissions/extrapermissionsprovider.py from the Trac sources.)

I don't know how you would make svn look at Trac for that information though.

You might look into this or this plugin from trac-hacks to let you manage your svn access from within Trac. (Caveat: I haven't used them.) That may let you do something close to what you want.

_{Disclosure: I am one of the Trac devs.}