[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Granular repository access via httpd

From: Sander Striker <striker_at_apache.org>
Date: 2002-01-30 13:00:55 CET

Hi,

> Greg (S), did you ever get anywhere with the expanded permissions for a
> subfolder thing we were talking about?
>
> To recap, I was trying to expand permissions in a subdirectory of a project,
> for the specific purpose of allowing contributers to commit to that
> directory, and only to that directory. Multiple Locations didn't seem to do
> the trick, the hang-up apparently being that to commit to a subfolder, you
> have to have write access to the root, as well. I haven't seen anything in
> the list about this, but I know that both Greg and Sander were thinking about
> it. That being said, the next milestone is more important, but if there's an
> easy way to achieve this with the current system, I'd like to know what it is.
>
> Thanks.

The granular access control is less straight forward than we originally thought.
It isn't a simple extra location block like so:

<Location /svn/repos/path/in/repos>
    AuthType Basic
    ...
    
    Require group mygroup
</Location>

Lets assume we only want to restrict commits for now. The urls used to commit to
the repos are looking like this:
http://myserver/myrepos/$svn/.../path/in/repos where the ... part contains
a 3 letter portion like act, wrk, etc and a uuid.

So you would need something like this (untested):

<LocationMatch /svn/repos/$svn/[a-z]//?([0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}/path/in/repos>
    AuthType Basic
    ...

    <LimitExcept GET PROPFIND OPTIONS REPORT>
        Require group path_in_repos_committers
    </LimitExcept>
</LocationMatch>

This would work on the PUT and DELETE, but not on PROPPATCH or the other
methods where the uuid is the final part of the url.

I am personally getting the feeling we have to implement acls in svn
at some point (preferably before 1.0, but after all the major features).
I don't know if we can implement a pre-commit hook that does simple write
restriction. We probably can, and if so, we can defer the acl
implementation to post 1.0 IMO.

Thoughts? Oh, before this fires up the entire ACL discussion again, please
defer that until later. There are bigger fish to fry at this time.

Sander

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sat Oct 21 14:37:01 2006

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.