Per-directory access restrictions with Trac and Subversion (mod_svn)

The below assumes that you are requiring a login to access Subversion over http(s) and Trac, and that the credentials users use for each service are the same.

Your access control file:

Both Trac and mod_svn use the same access control file format, so you should only need one file for both. The file format is described in some detail here, but I’ll go over some basics.

Each section consists of a section name consisting of either a repository and a path, or just a path. Since the default (when specifying an ACL file) is not give anyone access at all, you’ll want to specify a general access rule for all repositories. After that, you’ll additionally want to specify the access restrictions you want. The rule with the most specific path will always match first. To grant no permissions, leave the right side of the rule blank. For example:

# Give everyone read/write access to all repositories


* = rw

# Only allow Bob to access the path ‘/secret’ in the ‘systems’ repository


bob = rw

* =

The documentation contains more details as well as information about using groups.

Subversion (mod_svn) config:

To restrict access to specific repositories or directories when using Subversion and Apache, you’ll need to specify the file you created in the section above with “AuthzSVNAccessFile /path/to/file”. Then, after restarting apache, your access control rules should be applied.

Trac config:

To apply the same restrictions to Trac that you’ve applied to mod_svn above, you’ll need to make a few configuration changes, all in the [trac] section of trac.ini. First, if you’ve specified any repository-specific rules (like [systems:/secret], above), you’ll need to set ‘authz_module_name’ to the name of your repository. Second, you’ll need to set ‘authz_file’ to the path to your ACL file which we created above. After this, your access rules should be applied in trac as well. For more information on this and other permission policies in Trac, you can read the documentation for fine-grained permissions in Trac here.

Leave a Reply

Your email address will not be published. Required fields are marked *