> > authenticated user name. Using group authentication requires specifying > > a path to the Apache group file in the configuration. > > > > Using .htaccess has an additional bonus that the same authentication > > data can be used both for gitweb and the dumb http transport. > > I'm not sure if it wouldn't be a better solution to try to ask web > server to do authentication, for example in MOD_PERL case via $r > object (if I remember correctly)... You are right. I never used mod_perl before, so I didn't know that it's possible. How about the following patch, that simply adds a hook, and provides an example using mod_perl in the documentation? --- >8 --- Subject: [PATCH] gitweb: Add a per-repository authorization hook. Add a configuration variable that can be used to specify an arbitrary subroutine that will be called in the same situations where $export_ok is checked, and its return value used to decide whether the repository is to be shown. This allows the user to implement custom authentication schemes, for example by issuing a subrequest through mod_perl and checking if Apache will authorize it. Signed-off-by: Alexander Gavrilov <angavrilov@xxxxxxxxx> --- gitweb/INSTALL | 21 +++++++++++++++++++++ gitweb/gitweb.perl | 8 +++++++- 2 files changed, 28 insertions(+), 1 deletions(-) diff --git a/gitweb/INSTALL b/gitweb/INSTALL index 26967e2..fa5917a 100644 --- a/gitweb/INSTALL +++ b/gitweb/INSTALL @@ -166,6 +166,27 @@ Gitweb repositories shows repositories only if this file exists in its object database (if directory has the magic file named $export_ok). +- Finally, it is possible to specify an arbitrary perl subroutine that + will be called for each project to determine if it can be exported. + The subroutine receives an absolute path to the project as its only + parameter. + + For example, if you use mod_perl to run the script, and have dumb + http protocol authentication configured for your repositories, you + can use the following hook to allow access only if the user is + authorized to read the files: + + $export_auth_hook = sub { + use Apache2::SubRequest (); + use Apache2::Const -compile => qw(HTTP_OK); + my $path = "$_[0]/HEAD"; + my $r = Apache2::RequestUtil->request; + my $sub = $r->lookup_file($path); + return $sub->filename eq $path + && $sub->status == Apache2::Const::HTTP_OK; + }; + + Generating projects list using gitweb ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl index 172ea6b..9329880 100755 --- a/gitweb/gitweb.perl +++ b/gitweb/gitweb.perl @@ -95,6 +95,11 @@ our $default_projects_order = "project"; # (only effective if this variable evaluates to true) our $export_ok = "++GITWEB_EXPORT_OK++"; +# show repository only if this subroutine returns true +# when given the path to the project, for example: +# sub { return -e "$_[0]/git-daemon-export-ok"; } +our $export_auth_hook = undef; + # only allow viewing of repositories also shown on the overview page our $strict_export = "++GITWEB_STRICT_EXPORT++"; @@ -400,7 +405,8 @@ sub check_head_link { sub check_export_ok { my ($dir) = @_; return (check_head_link($dir) && - (!$export_ok || -e "$dir/$export_ok")); + (!$export_ok || -e "$dir/$export_ok") && + (!$export_auth_hook || $export_auth_hook->($dir))); } # process alternate names for backward compatibility -- tg: (0d4f9de..) t/authenticate/hook (depends on: t/authenticate/unify-exportok) -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html