Index: doc/book/book/ch05.xml
===================================================================
--- doc/book/book/ch05.xml (revision 4824)
+++ doc/book/book/ch05.xml (working copy)
@@ -1950,6 +1950,46 @@
</Location>
+ If you need to limit access to a portion of the repository,
+ additional <Location>, or
+ <LocationMatch> blocks can be used
+ for subdirectories in your repository. You should not include
+ the DAV, SVNPath, or
+ SVNParentPath directives in these sections.
+ The <Location> block you have for
+ the base will suffice for all the subdirectories.
+
+ Additionally, preventing read access to a subdirectory in a
+ repository is currently somewhat problematic. There are two
+ major issues. The first is that a
+ <LocationMatch> block is required
+ because of the way Subversion fetches specific revisions out of
+ the repository. Here is an example of restricting read access
+ to the repository directory http://svn.collab.net/repos/svn/private
+ to authenticated users.
+
+
+<LocationMatch ^/repos/svn/(/\!svn/bc/[0-9]+)?/private>
+ AuthType Basic
+ AuthName "Subversion repository"
+ AuthUserFile /usr/local/apache/svnauth/passwd
+ Require valid-user
+</LocationMatch>
+
+
+ The second issue is that Subversion currently handles
+ checkouts that don't complete rather poorly. In this example, if
+ someone tried to check out the entire Subversion repository, it
+ would balk when it got the private directory,
+ requiring and authorization. If it didn't get it, the checkout
+ would abort in the middle, leaving your working directory in an
+ ill-defined state. You couldn't put your repository back into a
+ defined sate, because no matter what you did, it would balk at
+ the private directory. This isn't a problem
+ if you only check out sections of the repository where you have
+ read access to every directory.
+
These are only a few simple examples. For more in-depth
information about Apache access control, take a look at the
Security section of the Apache