On Mon, 3 Nov 2008, Francis Galiegue wrote: > Le Monday 03 November 2008 20:17:47 Jakub Narebski, vous avez écrit : > > Dnia poniedziałek 3. listopada 2008 19:44, Francis Galiegue napisał: > > > Le Monday 03 November 2008 19:18:56 Jakub Narebski, vous avez écrit : > > > > Well, the question is if Apache (and other web servers used with > > > > gitweb) can do authentication based on path_info or on query-string. > > > > Because it is encoded in gitweb (via $projectroot) where to find git > > > > repositories... > > > > > > > > > > Can you expand on path_info and query-string? Keep in mind that Apache > > > has mod_rewrite, which can rewrite URLs in any way before it gets > > > actually sent to the underlying program (whether it be a CGI or > > > anything else), even badly (or mischievously). > > > > What I mean here that the following example gitweb URLs > > > > http://example.com/gitweb.cgi?p=some/project.git;a=commit;h=HEAD > > http://example.com/gitweb.cgi/some/project.git/commit/HEAD > > > > with the following gitweb configuration > > > > $projectroot = /var/scm > > > > both refer to git repository (directory) at > > > > /var/scm/some/project.git > > > > Apache (or other web server) would have to somehow decide based on URL > > that it refers to some project, and based on project and authentication > > decide whether to grant access to it. > > > > > > What is more, and what cannot be done by web server alone, is that we > > would want to not show projects which you don't have access to in the > > 'projects_list' page, i.e. at > > > > http://example.com/gitweb.cgi > > On the other hand we can decide to display projects for which user doesn't have access (via HTTP authentication) for, just like directories in *Index* directive can be shown even if they cannot be accessed. > I see the point. Note that the second URL can be converted into the first > one with mod_rewrite, and probably the first to the second as well. > > As to what repository is accessible to whom, does gitweb really have > an internal mechanism for this? Wouldn't it be "better" is privately > accessible projects were available on another website to start with? The problem is that Apache has to decide whether to deny or grant access based on URL, not on path in filesystem. Perhaps that is possible... As to having in gitweb mechanism for this... even now gitweb supports bare-bones access control in terms of $export_ok. BTW you can have not displayed but still accessible.project -- Jakub Narebski Poland -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html