I like your patch very much as it adds cool new features and cleans up the code. Thank you very much for sharing! :-)
Some time ago I added a patch to Redmine to authenticate against an LDAP server as user (see #1913).
To make this work with your enhanced version of Redmine.pm a patch is required that scans the LDAP binddn for the occurance of the string "$login" and if it is there the string will be replaced by the username of the current user (and used together with his password to authenticate against the LDAP server). The modification is minor and completely backwards compatible with unpatched Redmine. So you might safely add this patch to RedmineAdvanced.pm and it will just work... :-)
--------------------------------------------------------------------------------
Thnx, very useful patch!
--------------------------------------------------------------------------------
I updated the query at line 199 to cope with the removal of the member_roles table in latest 0.8 stable.

--------------------------------------------------------------------------------
Updated query result checks to be compatible with sqlite.

The diff is applied on Arnaud's file.
--------------------------------------------------------------------------------
The script gives open access when the project stated in "RedmineProjectId" does not exist in redmine.
--------------------------------------------------------------------------------
Lluís Vilanova wrote:
> The script gives open access when the project stated in "RedmineProjectId" does not exist in redmine.

Yes, you're right but only when one of following conditions is satisfied:
* READ access is requested and "Authentication required" is not checked (in Administration -> Settings -> Authentication)
* current user is an administrator of the redmine site
* *RedmineAuthenticationOnly* is defined

In my opinion, only the first condition may introduce a security hole and administrators should be aware of it...
--------------------------------------------------------------------------------
How do I use these files?
I have 0.8-stable as-is.
Thanks.

--------------------------------------------------------------------------------
I replaced Redmine.pm for this RedmineAdvanced.pm, and copied it to perl5/apache folders.
Am I doing it correctly?
--------------------------------------------------------------------------------
Well, I replaced all Redmine.pm for RedmineAdvanced.pm, and updated dav_svn.conf with the new name.
How do I use the new features?
Tks.
--------------------------------------------------------------------------------
Well here are some examples:

Example1 : Most used case. Users will be authenticated with redmine and you will give them read and write authorization based on roles/permissions. In this example, user will have read access when having a role with the "Browse repository" permission (and commit/write access when having the "Commit access" permission).
<pre>
PerlLoadModule Apache::Authn::RedmineAdvanced
<Location /svn>
DAV svn
SVNParentPath /var/svn

AuthType Basic
AuthName "REDMINE area"
Require valid-user

PerlAccessHandler Apache::Authn::RedmineAdvanced::access_handler
PerlAuthenHandler Apache::Authn::RedmineAdvanced::authen_handler
RedmineDSN "DBI:mysql:database=redmine;host=localhost"
RedmineDbUser "redmine"
RedmineDbPass "XXXXXX"
RedmineReadPermissions :browse_repository
RedmineWritePermissions :commit_access
</Location>
</pre>

Example2 : For a specific repository, you want to manage the rights granted to people with the AuthzSVNAccessFile directive. In this case, you only want to authenticate users (authorization will be defined in the file used the AuthzSVNAccessFile directive).
<pre>
PerlLoadModule Apache::Authn::RedmineAdvanced
<Location /svn2/myrepo>
DAV svn
SVNPath /mnt/subversion/myrepo
AuthzSVNAccessFile /mnt/subversion/accesslist

AuthType Basic
AuthName "REDMINE area"
Require valid-user

PerlAccessHandler Apache::Authn::RedmineAdvanced::access_handler
PerlAuthenHandler Apache::Authn::RedmineAdvanced::authen_handler
RedmineDSN "DBI:mysql:database=redmine;host=localhost"
RedmineDbUser "redmine"
RedmineDbPass "XXXXXX"
RedmineAuthenticationOnly "On"
</Location>
</pre>

Example 3: You have installed a web application on your server (a dokuWiki instance, for example) and you want to allow access only to members of a specific redmine's project (for example, the project "myproject"). Read and write access are given if users have "View wiki" or "Edit wiki pages" permissions...
<pre>
PerlLoadModule Apache::Authn::RedmineAdvanced
<Directory "/var/www/html/dokuWiki">
AuthType Basic
AuthName "REDMINE area"
Require valid-user

PerlAccessHandler Apache::Authn::RedmineAdvanced::access_handler
PerlAuthenHandler Apache::Authn::RedmineAdvanced::authen_handler
RedmineDSN "DBI:mysql:database=redmine;host=localhost"
RedmineDbUser "redmine"
RedmineDbPass "XXXXXX"
RedmineProjectId myproject
RedmineReadPermissions :view_wiki_pages
RedmineWritePermissions :edit_wiki_pages
</Location>
</pre>

Hope this will help you....
--------------------------------------------------------------------------------
This is perhaps a minor issue, but when a repository exists and a Redmine administrator authenticates, access is denied. I would say that a Redmine administrator should be granted access to all Redmine-managed assets. Looking at the MySQL general log, the following queries are issued:
<pre>
SELECT hashed_password, auth_source_id
FROM users
WHERE users.status=1 AND login='bnordgren'
SELECT host,port,tls,account,account_password,base_dn,attr_login
from auth_sources
WHERE id = '1'
SELECT is_public FROM projects WHERE projects.identifier='private'
SELECT permissions
FROM members, projects, users, roles
WHERE projects.id=members.project_id AND
users.id=members.user_id AND
roles.id=members.role_id AND
users.status=1 AND
login='bnordgren' AND
identifier='private'
</pre>

I made the same complaint against the "official version" of @Redmine.pm@ in #5070. :) If it is not always desirable to have redmine administrators be granted access, perhaps it could be an option? I'd do it myself but I don't know perl, and for the moment I can live with adding myself to the projects.
--------------------------------------------------------------------------------
Also, it's probably best to make clear that the @member_roles@ table was apparently _added_ in 0.9.x, and not _removed_ in the latest 0.8 stable as mentioned by Thimios Dimopulos above. So if you're running 0.9.x download the original version attached to this ticket. If you're running 0.8.x, download the version by Thimios Dimopulos. Your apache will thank you.
--------------------------------------------------------------------------------
Bryce Nordgren wrote:
> This is perhaps a minor issue, but when a repository exists and a Redmine administrator authenticates, access is denied. I would say that a Redmine administrator should be granted access to all Redmine-managed assets. Looking at the MySQL general log, the following queries are issued:
> [...]
>
> I made the same complaint against the "official version" of @Redmine.pm@ in #5070. :) If it is not always desirable to have redmine administrators be granted access, perhaps it could be an option? I'd do it myself but I don't know perl, and for the moment I can live with adding myself to the projects.

Well, I think you can patch my original file if you need. Just insert the following line at line number 321:
<pre>
return OK if ( is_admin( $r->user, $r ) );
</pre>
I didn't test the result but it should work as you like...

From my point of view, as an administrator, I don't want to bypass security access all the time but I understand your complaint...
--------------------------------------------------------------------------------
Thanks for the patch. :) I'm not very familiar with perl and this gives me the head start I needed.

My requirement for some kind of "security bypass" has to do with creating mirrors of all the repositories. Redmine and the subversion repositories are outside the firewall, and I want to @svnsync@ all repositories to another machine nightly. Since I'm allowing my users to create non-public subversion repositories, I need a user that will always have access.
--------------------------------------------------------------------------------
Does this still work in the latest versions of Redmine? I'm looking to allow some users to be able to do Example #2 on their project.
--------------------------------------------------------------------------------
Yes, I'm using it with redmine 1.1.0
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
I reworked my own Redmine.pm yesterday and discovers this patch today. I have go the same way to enhance it but there are some differences :
* It is using the proper authentication (authn) and authorization (authz) handlers instead of access and authentication ones. They could theoretically work separately.
* The authentication phase only authenticates, e.g. checks login/password. It honors the 'login_required' settings. It returns "AUTH_REQUIRED" in case of password mismatch and "FORBIDDEN" for inactive accounts.
* The authorization phase checks if the authenticated user is allowed. It properly honor anonymous and non-member permissions on public projects. It returns "FORBIDDEN" if the user is not authorized, but for anonymous. In the latter case, it returns "AUTH_REQUIRED" to enforce login.
* The credential cache takes the required permission into account. With the shipped Redmine.pm, I think you can commit right after doing reading since the required permissions are not tested.
* I have added a RedmineCacheCredsMaxAge setting to define an expiration delay.
* The credential cache only works if you use both handlers. Credentials are recorded in the authz handler and they are tested in the authn handler during subsequent requests.

The whole thing needs to be tested and I think I will add some other features I have seen there. I am not sure how I should adapt the where-clause setting, as I have added some queries.

Hope this helps.
--------------------------------------------------------------------------------
It*s really sag this imrproved feature is still bot planned. I actually found this after i made a thread request, that would be covered by this patch

http://www.redmine.org/boards/2/topics/39274
--------------------------------------------------------------------------------
The RedmineAddvanced.pm is released in context of the webdav plugin.

https://github.com/amartel/redmine_webdav/blob/master/extra/svn/RedmineAdvanced.pm

see https://github.com/amartel/redmine_webdav

--------------------------------------------------------------------------------

relates,New,5070,Redmine.pm does not allow Administrators to access svn repositories