This thread's topic has moved from a proposed patch to how I should configure my gitweb, so I'm updating the subject. As a review: I have several public repos and several basic-authentication realms, each of which requires a single user and contains a single repo (some realms might contain multiple repos in the future). Each request has its authorization checked by the Web server before it reaches gitweb, so my main concern here is to avoid publicly disclosing the private repos' paths, authors, and descriptions in the main project list. On Fri, 2009-01-02 at 20:33 +0100, Jakub Narebski wrote: > On Wed, 2008-12-24, Matt McCutchen wrote: > > On Sat, 2008-12-13 at 14:02 -0800, Jakub Narebski wrote: > > > > > > Cannot you do this with new $export_auth_hook gitweb configuration > > > variable, added by Alexander Gavrilov in > > > dd7f5f1 (gitweb: Add a per-repository authorization hook.) > > > It is used in check_export_ok subroutine, and is is checked also when > > > getting list of project from file > > > > > > From gitweb/INSTALL > [...] > > > For example, if you use mod_perl to run the script, and have dumb > > > http protocol authentication configured for your repositories, you > > > can use the following hook to allow access only if the user is > > > authorized to read the files: > [...] > > > $export_auth_hook would work, and it would have the nice (but not > > essential) feature of including private projects in the list shown to > > suitably authenticated users. The only problem is that my Web host > > doesn't support mod_perl. Is there a practical way to accomplish the > > same thing as the above example in a CGI script? I would like to avoid > > reimplementing Apache authentication-checking functionality if at all > > possible. > > I know it is written that the example code is for mod_perl, but I > don't think it is mod_perl specific; have you checked if it works > for you? I assume that you use Apache, and have Apache Perl bindings > installed... I'm quite sure that the code is mod_perl specific. CGI scripts do get some information from Apache via the environment, but interaction as rich as executing Apache subrequests is only possible when the code is running inside Apache via mod_perl. In fact, the Apache2::SubRequest and Apache2::RequestUtil modules are part of mod_perl. To make sure I'm not missing something, I tested the code on an Apache with mod_perl enabled but gitweb executing as a CGI, and gitweb failed with the following message: Can't locate object method "request" via package "Apache2::RequestUtil" at gitweb_config.perl line 60. So this approach won't work for me. But even ignoring this problem, I'm now thinking that trying to show repos from *multiple authentication realms* in the main list according to the user's credentials was a foolish idea. I don't want to ask anonymous visitors to my main list for multiple logins they probably don't have, yet I think it would be poor practice from a predictability standpoint for the list to behave differently if the user volunteers login information that hasn't been requested. Instead, I will use a separate project list file for public repositories and for each realm, and no export_auth_hook. This is simple and requires no change to gitweb; my rewrite rule just has to tell my gitweb_config via an environment variable which list to use. Comments on this solution? (Note: I'm no longer advocating the hidden-repos feature at this time, but I think I will still advocate the forks-and-strict-export bug fix now that I have it written.) -- Matt -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html