I am using VirtualSVN + Trac-plugin on Windows for multi-projects. I have configured users and groups in VirtualSVN, so that only authorized users/groups can access specified resource.

For instance:

  1. Customer1 can access Repository1 and Trac1
  2. Customer2 can access Repository2 and Trac2
  3. Anonymous cannot access any svn repository.

On my system, once Customer2 is logged in, he can access Repository2, Trac2 but also Trac1. This is not as expected.

The apache configuration part for svn

<Location /svn>
  DAV svn

  SVNListParentPath off
  SVNParentPath "D:/repos/svn"
  SVNPathAuthz on

  AuthName "Subversion Repositories"
  AuthType Basic
  AuthBasicProvider file
  AuthUserFile "D:/repos/svn/htpasswd"
  AuthzSVNAccessFile "D:/repos/svn/authz"

  require valid-user

The apache configuration part of Trac

LoadModule python_module "trac/python/mod_python_so.pyd"
LoadModule authz_user_module "bin/mod_authz_user.so"

<Location /trac>
  SetHandler mod_python
  PythonInterpreter main_interpreter
  PythonHandler trac.web.modpython_frontend
  PythonOption TracEnvParentDir "d:/repos/trac"
  PythonOption TracUriRoot /trac

  AuthName "Trac"
  AuthType Basic
  AuthBasicProvider file
  AuthUserFile "d:/repos/svn/htpasswd"

  Require valid-user

I tried to declare AuthzSVNAccessFile "D:/repos/svn/authz" for Trac. But it does not work definitively.

Can anyone help me to make this correct? Thanks in advance.

This question can be split into two parts:

1) Limiting browsing svn source with trac as said by authz file

You have to tell trac where the authz file is.

Edit trac.ini file in d:/repos/trac/tracX/trac.ini:

authz_file = D:/repos/svn/authz
authz_module_name = name_of_the_module_as_in_authz_file_for_this_trac

2) Limiting who can access which trac.

It has nothing to do with authz file, as trac is not using it to give permissions to trac system.

When using basic auth you have two options:

a) If you give up a one configuration with TracEnvParentDir and change it to two Location entries, you can then change the Require directive:

<Location /trac/trac1>
    Require user Customer1

<Location /trac/trac2>
    Require user Customer2

Although it is inpractical if you have more trac.

b) Set proper permissions inside trac's. Every user will be able to "log in" to all trac, but won't be able to access there anything.

Remove all permissions from the user authenticated and give permissions to proper users. Something like:

trac-admin d:/repos/trac/trac1 permission remove authenticated *
trac-admin d:/repos/trac/trac2 permission remove authenticated *
trac-admin d:/repos/trac/trac1 permission add Customer1 TICKET_CREATE TICKET_MODIFY WIKI_CREATE WIKI_MODIFY
trac-admin d:/repos/trac/trac2 permission add Customer2 TICKET_CREATE TICKET_MODIFY WIKI_CREATE WIKI_MODIFY

Keeping authz and trac permissions in sync is a whole other problem :) It would be the best to write some custom scripts exactly matching your environment to add and remove permissions if your are going to do that a lot.

