96,172d95
< =head1 GIT SMART HTTP SUPPORT
< 
< Git's smart HTTP protocol (available since Git 1.7.0) will not work with the
< above settings. Redmine.pm normally does access control depending on the HTTP
< method used: read-only methods are OK for everyone in public projects and
< members with read rights in private projects. The rest require membership with
< commit rights in the project.
< 
< However, this scheme doesn't work for Git's smart HTTP protocol, as it will use
< POST even for a simple clone. Instead, read-only requests must be detected using
< the full URL (including the query string): anything that doesn't belong to the
< git-receive-pack service is read-only.
< 
< To activate this mode of operation, add this line inside your <Location /git>
< block:
< 
<   RedmineGitSmartHttp yes
< 
< Here's a sample Apache configuration which integrates git-http-backend with
< a MySQL database and this new option:
< 
<    SetEnv GIT_PROJECT_ROOT /var/www/git/
<    SetEnv GIT_HTTP_EXPORT_ALL
<    ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/
<    <Location /git>
<        Order allow,deny
<        Allow from all
< 
<        AuthType Basic
<        AuthName Git
<        Require valid-user
< 
<        PerlAccessHandler Apache::Authn::Redmine::access_handler
<        PerlAuthenHandler Apache::Authn::Redmine::authen_handler
<        # for mysql
<        RedmineDSN "DBI:mysql:database=redmine;host=127.0.0.1"
<        RedmineDbUser "redmine"
<        RedmineDbPass "xxx"
<        RedmineGitSmartHttp yes
<     </Location>
< 
< Make sure that all the names of the repositories under /var/www/git/ have a
< matching identifier for some project: /var/www/git/myproject and
< /var/www/git/myproject.git will work. You can put both bare and non-bare
< repositories in /var/www/git, though bare repositories are strongly
< recommended. You should create them with the rights of the user running Redmine,
< like this:
< 
<   cd /var/www/git
<   sudo -u user-running-redmine mkdir myproject
<   cd myproject
<   sudo -u user-running-redmine git init --bare
< 
< Once you have activated this option, you have three options when cloning a
< repository:
< 
< - Cloning using "http://user@host/git/repo(.git)" works, but will ask for the password
<   all the time.
< 
< - Cloning with "http://user:pass@host/git/repo(.git)" does not have this problem, but
<   this could reveal accidentally your password to the console in some versions
<   of Git, and you would have to ensure that .git/config is not readable except
<   by the owner for each of your projects.
< 
< - Use "http://host/git/repo(.git)", and store your credentials in the ~/.netrc
<   file. This is the recommended solution, as you only have one file to protect
<   and passwords will not be leaked accidentally to the console.
< 
<   IMPORTANT NOTE: It is *very important* that the file cannot be read by other
<   users, as it will contain your password in cleartext. To create the file, you
<   can use the following commands, replacing yourhost, youruser and yourpassword
<   with the right values:
< 
<     touch ~/.netrc
<     chmod 600 ~/.netrc
<     echo -e "machine yourhost\nlogin youruser\npassword yourpassword" > ~/.netrc
< 
222,226d144
<   {
<     name => 'RedmineGitSmartHttp',
<     req_override => OR_AUTHCFG,
<     args_how => TAKE1,
<   },
233,234c151,152
<                  hashed_password, salt, auth_source_id, permissions, projects.id, projects.identifier
<               FROM projects, users, roles, project_aliases
---
>                  hashed_password, salt, auth_source_id, permissions
>               FROM projects, users, roles
237,241c155
<                 AND (
<                   projects.identifier=?
<                   OR
<                   projects.id IN (SELECT project_id FROM project_aliases WHERE alias=?)
<                 )
---
>                 AND projects.identifier=?
268,278d181
< sub RedmineGitSmartHttp {
<   my ($self, $parms, $arg) = @_;
<   $arg = lc $arg;
< 
<   if ($arg eq "yes" || $arg eq "true") {
<     $self->{RedmineGitSmartHttp} = 1;
<   } else {
<     $self->{RedmineGitSmartHttp} = 0;
<   }
< }
< 
295,311d197
< sub request_is_read_only {
<   my ($r) = @_;
<   my $cfg = Apache2::Module::get_config(__PACKAGE__, $r->server, $r->per_dir_config);
< 
<   # Do we use Git's smart HTTP protocol, or not?
<   if (defined $cfg->{RedmineGitSmartHttp} and $cfg->{RedmineGitSmartHttp}) {
<     my $uri = $r->unparsed_uri;
<     my $location = $r->location;
<     my $is_read_only = $uri !~ m{^$location/*[^/]+/+(info/refs\?service=)?git\-receive\-pack$}o;
<     return $is_read_only;
<   } else {
<     # Old behaviour: check the HTTP method
<     my $method = $r->method;
<     return defined $read_only_methods{$method};
<   }
< }
< 
320c206,207
<   return OK unless request_is_read_only($r);
---
>   my $method = $r->method;
>   return OK unless defined $read_only_methods{$method};
336,337c223,225
<   my $myRet = is_member($r->user, $redmine_pass, $r);
<   if ($myRet == AUTH_REQUIRED) {
---
>   if (is_member($r->user, $redmine_pass, $r)) {
>       return OK;
>   } else {
340,341d227
<   } else {
<       return $myRet;
436,447d321
< sub repoRedirect {
<   my $oldUrl = shift;
<   my $newUrl = shift;
<   my $r = shift;
< 
<   my $url = $r->unparsed_uri();
<   $url =~ s/$oldUrl/$newUrl/;
<   $r->headers_out->set('Location' => $url);
<   $r->status(Apache2::Const::REDIRECT);
<   return REDIRECT;
< }
< 
458c332
<   my $access_mode = request_is_read_only($r) ? "R" : "W";
---
>   my $access_mode = defined $read_only_methods{$r->method} ? "R" : "W";
464c338
<     return OK if (defined $usrprojpass and ($usrprojpass eq $pass_digest));
---
>     return 1 if (defined $usrprojpass and ($usrprojpass eq $pass_digest));
468c342,345
<   $sth->execute($redmine_user, $project_id, $project_id);
---
>   $sth->execute($redmine_user, $project_id);
> 
>   my $ret;
>   while (my ($hashed_password, $salt, $auth_source_id, $permissions) = $sth->fetchrow_array) {
470,495d346
<   my $ret = AUTH_REQUIRED;
<   while (my ($hashed_password, $salt, $auth_source_id, $permissions, $projId, $projIdentifier) = $sth->fetchrow_array) {
< ###### Project aliases
<       my $repo_path="/home/git/repos/";
<       my $repo_prefix="";
<       my $repo_suffix=".git";
< 
<       $repo_path = $repo_path.$repo_prefix;
< 
<       unless(-d $repo_path.$project_id.$repo_suffix){
<         if(-d $repo_path.$projIdentifier.$repo_suffix){
<           return repoRedirect($project_id, $projIdentifier, $r);
<         }
<         my $sthdir = $dbh->prepare(
<             "SELECT id,alias FROM project_aliases WHERE project_id = ?;"
<         ); 
<         $sthdir->execute($projId);
<         while (my @rowdir = $sthdir->fetchrow_array) {
<           if(-d $repo_path.$rowdir[1].$repo_suffix){
<             return repoRedirect($project_id, $rowdir[1], $r);
<           }
<         }
<         $sthdir->finish();
<         undef $sthdir;
<       }
< ##############
500c351
<               $ret = OK;
---
>               $ret = 1;
509,510d359
<             my $bind_as = $redmine_user;
<             my $bind_pw = $redmine_pass;
515,516c364,365
<                 binddn  =>      $bind_as,
<                 bindpw  =>      $bind_pw,
---
>                 binddn  =>      $rowldap[3] ? $rowldap[3] : "",
>                 bindpw  =>      $rowldap[4] ? $rowldap[4] : "",
520c369
<             $ret = OK if ($ldap->authenticate($redmine_user, $redmine_pass) && (($access_mode eq "R" && $permissions =~ /:browse_repository/) || $permissions =~ /:commit_access/));
---
>             $ret = 1 if ($ldap->authenticate($redmine_user, $redmine_pass) && (($access_mode eq "R" && $permissions =~ /:browse_repository/) || $permissions =~ /:commit_access/));
554d402
<     $identifier =~ s/\.git//;