- Join us
TCM's Software Repository Web Frontend
The web frontend to the repository server only provides download access. The machine on which the web server runs simply has no write access to the repository data. It can be configured, on a per-repository basis, to provide no access, Raven-authenticated access, http with password authenticated access, or anonymous access.
By default it gives no access. If access is to be provided, it is additionally required that a user in the group www can read the files to be served. as files are world-readable by default, this is not an issue unless you have removed world readability. Details on how to proceed if you have can be found in the example transcript.
As is/was conventional in Cambridge, spqr1 is used to mean `put the relevant user id here.'
Using the Web Interface
For a project to be listed / served, the subdirectory containing the project must contain a file called allow (both subversion and CVS will ignore this file). This file contains a list of user IDs, one line per user, or the special user id of the single character "*" meaning allow anonymous access. Blank lines, and comment lines (lines starting with a "#") are also permitted. Trailing comments and multiple words per line (except in comments) are not.
For anonymous access, a URL such as http://src.tcm.phy.cam.ac.uk/viewvc/spqr1/ suffices.
For Raven-based authentication, users should simply visit http://src.tcm.phy.cam.ac.uk/raven/ first, and then a URL such as the above. Alternatively, a URL such as http://src.tcm.phy.cam.ac.uk/raven/viewvc/spqr1/ will do everything in a single step.
For per-user password files, one needs to create a public_html directory on the CVS server. This should then contain a .htaccess file with the contents:
AuthType Basic AuthName "Password Required for access to spqr1's projects" AuthUserFile /home/spqr1/htpasswd Require valid-userand the file htpasswd should be created in one's home directory on the CVS server, and should contain lines of the form
Such lines can be generated using
cvs-chroot:~$ htpasswd fred rubbish fred:Wr/5GnnT7bptc
(If this program returns a line ending ":*0", then please retry - there is a bug involving generating the random salt.)
(One can maintain files on the server using vi, scp or sftp.)
With such files in place, URLs of the form
https://src.tcm.phy.cam.ac.uk/~spqr1/viewvc/should work. Note that the https is required (as otherwise passwords would be sent unencrypted), that there will be a warning about a self-signed certificate, and that there is nothing called `viewvc' in spqr1's public_html directory. You may use https for all other pages too.
Summary of web access
|http://src.tcm.phy.cam.ac.uk/raven/viewvc/spqr1/||Raven authenticated access|
|https://src.tcm.phy.cam.ac.uk/~spqr1/viewvc/||htpasswd authenticated access|
For htpasswd authenticated access to work, a public_html directory must exist as described above.
Https is required for htpasswd-based authentication. It is optional otherwise.
Complex Access Problems
Some people would like different sets of people to have access to different parts of the same repository. You need read this section only if you wish to play such games...
When accessing the file "foo/bar/baz.c" from the repository "womble" in sqpr1's home directory, the following checks will be made, in the order given:
- Does ~spqr1/womble/allow exist? If not, deny access and look no further.
- Does ~spqr1/womble/allow permit access to the given user? If not, deny access and look no further.
- Does ~spqr1/womble/foo.bar.baz.c.allow exist? If so, permit or deny based on its contents, and look no further.
- Does ~spqr1/womble/foo.bar.allow exist? If so, permit or deny based on its contents, and look no further.
- Does ~spqr1/womble/foo.allow exist? If so, permit or deny based on its contents, and look no further.
- Permit access.
(In other words, after accessing the main allow file, if any xxx.allow files exist, only the closest match is used, rather than requiring a whole hierarchy to match. Forward slashes in the path are replaced by dots when constructing the name, as this makes better sense in the subversion world.)
It is believed that users attempting to download tarballs of a tree will receive only the files which they have access to by the above scheme. The nervous may wish to test this.