Jens Krämer

Accessing ownCloud From Within Redmine

 |  webdav, owncloud, redmine

This topic recently came up and is actually easy to do if all you want is read only ownCloud access from within Redmine:

  1. mount ownCloud via webDAV on Redmine server (using davfs2 as described in the docs)
  2. use Redmine’s File system SCM adapter to make the webDAV mount point accessible as a Repository in Redmine

Why?

Now why would you want to do this? After all, ownCloud already has a web interface, not to mention the native desktop / smartphone clients.

Well, besides the quick file browsing without leaving Redmine you can now easily reference files stored in ownCloud everywhere in Redmine using the source:/some/path/to/file.pdf syntax. If you collaborate with external users through Redmine, you might also chose to give them access to a project’s repository and share files from ownCloud with them through Redmine without exposing your ownCloud instance to them. Be sure to pay special attention to Gotcha #2 below in this case.

Gotcha #1: Conceptual Mismatch

ownCloud manages completely separate file trees for each user, and you have to pick one such user when doing the webDAV mount in step 1 above. There is no concept of a shared project workspace, though you can share files and folders among users and groups.

A Repository in Redmine on the other hand is the same for all users - depending on permissions it may be browsed by a user or not, but all users with sufficient permissions will see the same things.

Doesn’t look like an easy fit, but there are scenarios where this may still make sense:

Gotcha #2: Security / privacy issues

DavFS cache

The DavFS linux file system implementation will create temporary files on the machine where the mount is. On Debian that cache is located in /var/cache/davfs2 and it may contain any data downloaded from ownCloud. If you put a lot of effort into securing the place where your ownCloud stores files, you should treat this cache directory the same.

Redmine

Redmine’s file system SCM adapter basically gives anybody with the Create Repository permission read access to your server’s full file system, with the permissions of the user running Redmine (usually www-data or similar).

A solution to this problem was introduced in Redmine 3 by adding a setting that allows restriction of the possible repository root directories: Edit config/configuration.yml in your Redmine, find the scm_filesystem_path_regexp key and set it to a value that only allows known good paths as repository roots.

If you mount your per-project ownCloud accounts under /mnt/owncloud that might look like this:

production:
  scm_filesystem_path_regexp: /mnt/owncloud/%project%

Redmine interpolates %project% to the current project’s identifier. After changing the file, restart Redmine and check if it works by attempting to create repositories in forbidden locations.

People

Make sure everybody is on the same page about how and when a file becomes readable by whom. Establish clear policies about which files are ok to be shared with the Redmine technical users in ownCloud and which are not. Any file shared with such a Redmine user will be re-shared through Redmine to whoever has repository read access there. If necessary, create different users / webDAV mounts for internal / external use and use them to separate customer-accessible files from internal assets.

Summary

While certainly not ideal, this DavFS / SCM adapter solution is a first step for integrating ownCloud and Redmine.

I’m very interested to hear your thoughts - do you think this is at all useful, and / or what other things are crucial for a good Redmine / ownCloud integration? What should a more complete solution, possibly involving ownClouds Federated Cloud Sharing API look like? What about write access from Redmine - should it be possible to push content from Redmine to an ownCloud account?

Comments

You can use Markdown here.

For the sake of spam checking any data you submit, including your IP address, will be transferred to the US based Akismet web service (akismet.com). If that's not acceptable for you, you can also reach me by other means.