Re: git-http-backend: anonymous read, authenticated write

["Jakub Narębski" <jnareb@gmail.com>]

On 09.04.2013, Magnus Therning wrote:

> I've been trying to set up git-http-backend+lighttpd.  I've managed to
> set up anonymous read-only access, and I then successfully configured
> authentication for both read and write.  Then I get stuck.  The
> man-page for git-http-backend says that the following snippet can be
> used for Apache 2.x:
> 
>     <LocationMatch "^/git/.*/git-receive-pack$">
>         AuthType Basic
>         AuthName "Git Access"
>         Require group committers
>         ...
>     </LocationMatch>
> 
> However, when I put in this match on location in my lighty config and
> try to push I'm not asked for a password, instead I'm greeted with
> 
>     % git push 
>     error: The requested URL returned error: 403 Forbidden while 
>      accessing
http://magnus@tracsrv.local/git/foo.git/info/refs?service=git-receive-pack
> 
> AFAICS this means the man-page is wrong, and that I instead ought to
> match on the "service=git-receive-pack" part.  Is that a correct
> conclusion?

Yes, it is.

I have tried to do the same anonymous read and authenticated write
in "smart HTTP" access in Apache.  There are some proposals[1],
all I think which use mod_rewrite (as LocationMatch doesn't take
query string into account, unfortunately), but I haven't been able
to make it work.

The problem is that both POST *and GET* (to get refs) must be authethicated.

Nb. I thought that it was corrected... which git version do you use?

[1]: http://paperlined.org/apps/git/SmartHTTP_Ubuntu.html


In the end I have worked around this by allowing all registered users to
read with "require valid-user" (which in my situation might be even more
correct solution; the case being repositories for Computer Science class
lab work), and restricting write via pre-receive hook which checks
REMOTE_USER.

-- 
Jakub Narębski