[MERGE] Allow writable bzr+http://

John Arbash Meinel john at arbash-meinel.com
Sat Dec 16 00:05:17 GMT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The attached patch updates the documentation a little bit, and then
allows a flag to allow the WSGI app to expose a bzr+http:// connection
which can be written to.

In the new doc, I mention that we have a small impedance mismatch
between the smart protocol and authentication.

The problem is that we expect authentication to be done at a higher
level, such as by ssh or by Apache. So the smart protocol itself has no
support for Authentication. However, to Apache everything just looks
like a POST, so once you allow writing, you have allowed it to everyone
who has access to .bzr/smart.

The best I could come up with, would be to have 2 urls. Something like:

http://example.com/code/
and
http://example.com/code-rw/

Where you could have /srv/example.com/code-rw just be a symlink to
/srv/example.com/code, but it would give you another Directory entry in
Apache's config so that you could serve it by a slightly different script.

I guess the other possibility would be to have the handler be aware if
the user has been Authenticated. I assume it must be somewhere in the
wsgi environment settings. Then you could have the request handler use a
different smart_server_app which could be read-only or read-write as
directed.

I'll try to look into what that would take, and see if I can add that to
the documentation and examples.

John
=:->

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFgzg9JdeBCYSNAAMRApyfAJ0aAXQIX1nsMb8YQ5tgfMp+sw4McgCeN8+4
FEslp4zvt1YzH/nfEL/v8ho=
=Dy/I
-----END PGP SIGNATURE-----




More information about the bazaar mailing list