diff --exclude=.svn -ruN tags/svn-trunk-r20114/subversion/mod_dav_svn/authz.c trunk/subversion/mod_dav_svn/authz.c
--- tags/svn-trunk-r20114/subversion/mod_dav_svn/authz.c	1970-01-01 02:00:00.000000000 +0200
+++ trunk/subversion/mod_dav_svn/authz.c	2006-07-17 23:31:30.000000000 +0300
@@ -0,0 +1,273 @@
+/*
+ * authz.c: mod_dav_svn native path-based authorization
+ *
+ * ====================================================================
+ * Copyright (c) 2003-2006 CollabNet.  All rights reserved.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution.  The terms
+ * are also available at http://subversion.tigris.org/license-1.html.
+ * If newer versions of this license are posted there, you may use a
+ * newer version instead, at your option.
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals.  For exact contribution history, see the revision
+ * history and logs, available at http://subversion.tigris.org/.
+ * ====================================================================
+ */
+
+
+
+#include <apr_uri.h>
+#include <mod_dav.h>
+
+#include "svn_dav.h"
+
+#include "dav_svn.h"
+
+static int check_access(const char *repos_name,
+                        const char *repos_path,
+                        request_rec* r,
+                        svn_repos_authz_access_t required_access)
+{
+  const char *authz_file = NULL;
+  svn_authz_t *access_conf = NULL;
+  svn_error_t *svn_err;
+  dav_error *dav_err;
+  const char *cache_key;
+  void *user_data;
+  svn_boolean_t access_granted;
+  char errbuf[128];
+
+  /* If native authz is off, there's nothing to do. Return DONE
+   * instead of OK to indicate that no checks have really been done.
+   */
+  if (!dav_svn_get_native_authz_flag(r))
+    return DONE;
+
+  authz_file = dav_svn_get_native_authz_file(r);
+  /* If access file had not been specified, the default
+     behavior is to allow access. 
+     XXX: is this right? */
+  if(authz_file == NULL)
+    return OK;
+
+  /* Retrieve/cache authorization file */
+  cache_key = apr_pstrcat(r->pool, "mod_dav_svn:", authz_file, NULL);
+  apr_pool_userdata_get(&user_data, cache_key, r->connection->pool);
+  access_conf = user_data;
+  if (access_conf == NULL) {
+    svn_err = svn_repos_authz_read(&access_conf, authz_file,
+                                   TRUE, r->connection->pool);
+    if (svn_err) {
+      ap_log_rerror(APLOG_MARK, APLOG_ERR,
+                    /* If it is an error code that APR can make sense
+                       of, then show it, otherwise, pass zero to avoid
+                       putting "APR does not understand this error code"
+                       in the error log. */
+                    ((svn_err->apr_err >= APR_OS_START_USERERR &&
+                      svn_err->apr_err < APR_OS_START_CANONERR) ?
+                     0 : svn_err->apr_err),
+                    r, "Failed to load the SVNNativeAuthzFile: %s",
+                    svn_err_best_message(svn_err,
+                                         errbuf, sizeof(errbuf)));
+      svn_error_clear(svn_err);
+
+      return DECLINED;
+    }
+
+    /* Cache the open repos for the next request on this connection */
+    apr_pool_userdata_set(access_conf, cache_key,
+                          NULL, r->connection->pool);
+  }
+
+  /* Perform authz access control. */
+  svn_err = svn_repos_authz_check_access(access_conf, repos_name,
+                                         repos_path, r->user,
+                                         required_access,
+                                         &access_granted,
+                                         r->pool);
+
+  if (svn_err) {
+    ap_log_rerror(APLOG_MARK, APLOG_ERR,
+                  /* If it is an error code that APR can make
+                     sense of, then show it, otherwise, pass
+                     zero to avoid putting "APR does not
+                     understand this error code" in the error
+                     log. */
+                  ((svn_err->apr_err >= APR_OS_START_USERERR &&
+                    svn_err->apr_err < APR_OS_START_CANONERR) ?
+                   0 : svn_err->apr_err),
+                  r, "Failed to perform access control: %s",
+                  svn_err_best_message(svn_err, errbuf, sizeof(errbuf)));
+    svn_error_clear(svn_err);
+
+    return DECLINED;
+  }
+
+  if (!access_granted)
+    return DECLINED;
+
+  return OK;
+}
+
+/* Log a message indicating the access control decision made about a
+ * request.  FILE and LINE should be supplied via the APLOG_MARK macro.
+ * ALLOWED is boolean.  REPOS_PATH and DEST_REPOS_PATH are information
+ * about the request.  DEST_REPOS_PATH may be NULL. */
+static void log_access_verdict(const char *file, int line,
+                               const request_rec *r,
+                               int allowed,
+                               const char *repos_path,
+                               svn_repos_authz_access_t required_access)
+{
+  int level = allowed ? APLOG_INFO : APLOG_ERR;
+  const char *verdict = allowed ? "granted" : "denied";
+
+  char access_str[4] = { 0, 0, 0, 0 };
+  int access_idx = 0;
+
+  if (required_access & svn_authz_read)
+    access_str[access_idx++] = 'r';
+
+  if (required_access & svn_authz_write)
+    access_str[access_idx++] = 'w';
+
+  if (required_access & svn_authz_recursive)
+    access_str[access_idx++] = 'R';
+
+  if (repos_path == NULL)
+    repos_path = "<global>";
+
+  if (r->user)
+  {
+    ap_log_rerror(file, line, level, 0, r,
+                  "[native] Access %s: '%s' %s %s %s", verdict, r->user,
+                  r->method, repos_path, access_str);
+  }
+  else
+  {
+    ap_log_rerror(file, line, level, 0, r,
+                  "[native] Access %s: - %s %s %s", verdict,
+                  r->method, repos_path, access_str);
+  }
+}
+
+dav_error *
+dav_svn_check_access(const char *repos_name,
+                     const char *repos_path,
+                     request_rec *r,
+                     svn_repos_authz_access_t required_access)
+{
+  int status;
+
+  status = check_access(repos_name, repos_path, r, required_access);
+
+  /* If no checks had been done, native authz is off, so don't log
+   * a possibly misleading authorization verdict.
+   */
+  if (status == DONE)
+    return NULL;
+
+  if(status == DECLINED)
+  {
+    log_access_verdict(APLOG_MARK, r, 0, repos_path, required_access);
+    ap_note_auth_failure(r); // XXX: need this?
+
+    // XXX: need better error message
+    return dav_svn__new_error_tag(r->pool, HTTP_FORBIDDEN, 0,
+                                  "Insufficient rights to access resource.",
+                                  SVN_DAV_ERROR_NAMESPACE,
+                                  SVN_DAV_ERROR_TAG);
+
+}
+
+  log_access_verdict(APLOG_MARK, r, 1, repos_path, required_access);
+
+  return NULL;
+}
+
+#if 0
+dav_error *
+dav_svn_check_resource_access(dav_resource *resource,
+                              svn_repos_authz_access_t required_access)
+{
+  {
+    char access[6] = { 0 };
+    int access_idx = 0;
+
+    request_rec* r = resource->info->r;
+
+    if( required_access & svn_authz_read )
+      access[access_idx++] = 'r';
+
+    if( required_access & svn_authz_write )
+      access[access_idx++] = 'w';
+
+    if( required_access & svn_authz_recursive )
+      access[access_idx++] = 'R';
+
+    if( r->user )
+    {
+      ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                    "[native] resource access: '%s' %s %s access:%s",
+                    r->user, r->method, resource->info->repos_path, access);
+    }
+    else
+    {
+      ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                    "[native] resource access: - %s %s access:%s",
+                    r->method, resource->info->repos_path, access);
+    }
+  }
+
+  return dav_svn_check_access(resource->info->repos->repo_name,
+                              resource->info->repos_path,
+                              resource->info->r,
+                              required_access);
+}
+
+dav_error *
+dav_svn_check_resource_parent_access(dav_resource *resource,
+                                     svn_repos_authz_access_t required_access)
+{
+  char* parent_path = NULL;
+
+
+
+  {
+    char access[6] = { 0 };
+    int access_idx = 0;
+
+    request_rec* r = resource->info->r;
+
+    if( required_access & svn_authz_read )
+      access[access_idx++] = 'r';
+
+    if( required_access & svn_authz_write )
+      access[access_idx++] = 'w';
+
+    if( required_access & svn_authz_recursive )
+      access[access_idx++] = 'R';
+
+    if( r->user )
+    {
+      ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                    "[native] resource access: '%s' %s %s access:%s",
+                    r->user, r->method, resource->info->repos_path, access);
+    }
+    else
+    {
+      ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                    "[native] resource access: - %s %s access:%s",
+                    r->method, resource->info->repos_path, access);
+    }
+  }
+
+  return dav_svn_check_access(resource->info->repos->repo_name,
+                              resource->info->repos_path,
+                              resource->info->r,
+                              required_access);
+}
+#endif
+
diff --exclude=.svn -ruN tags/svn-trunk-r20114/subversion/mod_dav_svn/authz.lo trunk/subversion/mod_dav_svn/authz.lo
--- tags/svn-trunk-r20114/subversion/mod_dav_svn/authz.lo	1970-01-01 02:00:00.000000000 +0200
+++ trunk/subversion/mod_dav_svn/authz.lo	2006-07-17 23:31:38.000000000 +0300
@@ -0,0 +1,12 @@
+# subversion/mod_dav_svn/authz.lo - a libtool object file
+# Generated by ltmain.sh - GNU libtool 1.5.22 (1.1220.2.365 2005/12/18 22:14:06)
+#
+# Please DO NOT delete this file!
+# It is necessary for linking the library.
+
+# Name of the PIC object.
+pic_object='.libs/authz.o'
+
+# Name of the non-PIC object.
+non_pic_object='authz.o'
+
diff --exclude=.svn -ruN tags/svn-trunk-r20114/subversion/mod_dav_svn/dav_svn.h trunk/subversion/mod_dav_svn/dav_svn.h
--- tags/svn-trunk-r20114/subversion/mod_dav_svn/dav_svn.h	2006-06-21 13:11:01.000000000 +0300
+++ trunk/subversion/mod_dav_svn/dav_svn.h	2006-07-17 21:11:48.000000000 +0300
@@ -282,7 +282,12 @@
    SVNParentPath allowed? */
 svn_boolean_t dav_svn_get_list_parentpath_flag(request_rec *r);
 
+/* for the repository referred to by this request, is native authz active? */
+svn_boolean_t dav_svn_get_native_authz_flag(request_rec *r);
 
+/* for the repository referred to by this request, where is the access
+   file for native authz */
+const char *dav_svn_get_native_authz_file(request_rec *r);
 
 /* SPECIAL URI
 
@@ -658,6 +663,14 @@
                         int http_status,
                         request_rec *r);
 
+/* Native path-based authorization */
+
+dav_error *
+dav_svn_check_access(const char *repos_name,
+                     const char *repos_path,
+                     request_rec *r,
+                     svn_repos_authz_access_t required_access);
+
 #ifdef __cplusplus
 }
 #endif /* __cplusplus */
diff --exclude=.svn -ruN tags/svn-trunk-r20114/subversion/mod_dav_svn/lock.c trunk/subversion/mod_dav_svn/lock.c
--- tags/svn-trunk-r20114/subversion/mod_dav_svn/lock.c	2006-06-21 13:11:01.000000000 +0300
+++ trunk/subversion/mod_dav_svn/lock.c	2006-07-18 02:54:14.000000000 +0300
@@ -656,12 +656,31 @@
   svn_error_t *serr;
   dav_error *derr;
 
-  /* If the resource's fs path is unreadable, we don't allow a lock to
-     be created on it. */
-  if (! dav_svn_allow_read(resource, SVN_INVALID_REVNUM, resource->pool))
-    return dav_new_error(resource->pool, HTTP_FORBIDDEN,
-                         DAV_ERR_LOCK_SAVE_LOCK,
-                         "Path is not accessible.");
+  /* XXX: This whole if(...) is a hack untill we introduce a
+   * dav_svn_allow_write() function - LOCK command needs write
+   * access to resource. mod_authz_svn, however had already
+   * authenticated a write.
+   */
+
+  if (dav_svn_get_native_authz_flag(resource->info->r))
+    {
+      /* Path-based authorization: LOCK needs write access to resource */
+      derr = dav_svn_check_access(resource->info->repos->repo_name,
+                                  resource->info->repos_path,
+				  resource->info->r,
+				  svn_authz_write);
+      if (derr)
+        return derr;
+    }
+  else
+    {
+      /* If the resource's fs path is unreadable, we don't allow a lock to
+         be created on it. */
+      if (! dav_svn_allow_read(resource, SVN_INVALID_REVNUM, resource->pool))
+        return dav_new_error(resource->pool, HTTP_FORBIDDEN,
+                             DAV_ERR_LOCK_SAVE_LOCK,
+                             "Path is not accessible.");
+    }
 
   if (lock->next)
     return dav_new_error(resource->pool, HTTP_BAD_REQUEST,
@@ -822,12 +841,27 @@
   if (info->keep_locks)
     return 0;
 
-  /* If the resource's fs path is unreadable, we don't allow a lock to
-     be removed from it. */
-  if (! dav_svn_allow_read(resource, SVN_INVALID_REVNUM, resource->pool))
-    return dav_new_error(resource->pool, HTTP_FORBIDDEN,
-                         DAV_ERR_LOCK_SAVE_LOCK,
-                         "Path is not accessible.");
+  if (dav_svn_get_native_authz_flag(resource->info->r))
+    {
+      /* Path-based authorization: UNLOCK needs write access to resource */
+      dav_error *derr;
+
+      derr = dav_svn_check_access(resource->info->repos->repo_name,
+                                  resource->info->repos_path,
+				  resource->info->r,
+				  svn_authz_write);
+      if (derr)
+        return derr;
+    }
+  else
+    {
+      /* If the resource's fs path is unreadable, we don't allow a lock to
+         be removed from it. */
+      if (! dav_svn_allow_read(resource, SVN_INVALID_REVNUM, resource->pool))
+        return dav_new_error(resource->pool, HTTP_FORBIDDEN,
+                             DAV_ERR_LOCK_SAVE_LOCK,
+                             "Path is not accessible.");
+    }
 
   if (locktoken == NULL)
     {
diff --exclude=.svn -ruN tags/svn-trunk-r20114/subversion/mod_dav_svn/mod_dav_svn.c trunk/subversion/mod_dav_svn/mod_dav_svn.c
--- tags/svn-trunk-r20114/subversion/mod_dav_svn/mod_dav_svn.c	2006-06-21 13:11:01.000000000 +0300
+++ trunk/subversion/mod_dav_svn/mod_dav_svn.c	2006-06-21 13:20:51.000000000 +0300
@@ -66,6 +66,9 @@
   enum dav_svn_flag do_path_authz;   /* whether GET subrequests are active */
   enum dav_svn_flag list_parentpath; /* whether to allow GET of parentpath */
 
+  enum dav_svn_flag do_native_authz; /* whether native authz is active */
+  const char *native_authz_file;     /* rule file for native authz */
+
 } dav_svn_dir_conf;
 
 #define INHERIT_VALUE(parent, child, field) \
@@ -139,6 +142,9 @@
     newconf->autoversioning = INHERIT_VALUE(parent, child, autoversioning);
     newconf->do_path_authz = INHERIT_VALUE(parent, child, do_path_authz);
     newconf->list_parentpath = INHERIT_VALUE(parent, child, list_parentpath);
+    newconf->do_native_authz = INHERIT_VALUE(parent, child, do_native_authz);
+    newconf->native_authz_file = INHERIT_VALUE(parent, child,
+                                               native_authz_file);
 
     return newconf;
 }
@@ -189,7 +195,6 @@
   return NULL;
 }
 
-
 static const char *dav_svn_list_parentpath_cmd(cmd_parms *cmd, void *config,
                                                int arg)
 {
@@ -203,7 +208,6 @@
   return NULL;
 }
 
-
 static const char *dav_svn_path_cmd(cmd_parms *cmd, void *config,
                                     const char *arg1)
 {
@@ -218,7 +222,6 @@
     return NULL;
 }
 
-
 static const char *dav_svn_parent_path_cmd(cmd_parms *cmd, void *config,
                                            const char *arg1)
 {
@@ -264,6 +267,29 @@
     return NULL;
 }
 
+static const char *dav_svn_native_authz_cmd(cmd_parms *cmd, void *config,
+                                            int arg)
+{
+  dav_svn_dir_conf *conf = config;
+
+  if (arg)
+    conf->do_native_authz = DAV_SVN_FLAG_ON;
+  else
+    conf->do_native_authz = DAV_SVN_FLAG_OFF;
+
+  return NULL;
+}
+static const char *dav_svn_native_authz_file_cmd(cmd_parms *cmd, void *config,
+                                                 const char *arg1)
+{
+    dav_svn_dir_conf *conf = config;
+
+    conf->native_authz_file
+      = svn_path_canonicalize(apr_pstrdup(cmd->pool, arg1), cmd->pool);
+
+    return NULL;
+}
+
 
 /** Accessor functions for the module's configuration state **/
 
@@ -375,6 +401,22 @@
     return conf->list_parentpath == DAV_SVN_FLAG_ON;
 }
 
+svn_boolean_t dav_svn_get_native_authz_flag(request_rec *r)
+{
+    dav_svn_dir_conf *conf;
+
+    conf = ap_get_module_config(r->per_dir_config, &dav_svn_module);
+    return conf->do_native_authz == DAV_SVN_FLAG_ON;
+}
+
+const char *dav_svn_get_native_authz_file(request_rec *r)
+{
+    dav_svn_dir_conf *conf;
+
+    conf = ap_get_module_config(r->per_dir_config, &dav_svn_module);
+    return conf->native_authz_file;
+}
+
 static void merge_xml_filter_insert(request_rec *r)
 {
     /* We only care about MERGE and DELETE requests. */
@@ -527,6 +569,17 @@
   AP_INIT_FLAG("SVNListParentPath", dav_svn_list_parentpath_cmd, NULL,
                ACCESS_CONF|RSRC_CONF, "allow GET of SVNParentPath."),
 
+  /* per directory/location */
+  AP_INIT_FLAG("SVNNativeAuthz", dav_svn_native_authz_cmd, NULL,
+               ACCESS_CONF|RSRC_CONF,
+               "use mod_dav_svn native path-based authorization"),
+
+  /* per directory/location */
+  AP_INIT_TAKE1("SVNNativeAuthzFile", dav_svn_native_authz_file_cmd, NULL,
+               ACCESS_CONF|RSRC_CONF,
+                "Text file containing permissions of repository paths "
+                "for mod_dav_svn native path-based authorization"),
+
   { NULL }
 };
 
diff --exclude=.svn -ruN tags/svn-trunk-r20114/subversion/mod_dav_svn/repos.c trunk/subversion/mod_dav_svn/repos.c
--- tags/svn-trunk-r20114/subversion/mod_dav_svn/repos.c	2006-06-21 13:11:01.000000000 +0300
+++ trunk/subversion/mod_dav_svn/repos.c	2006-07-18 01:56:35.000000000 +0300
@@ -1481,6 +1481,27 @@
   if (err)
     return err;
 
+#ifdef SVN_DEBUG
+#if 0
+  /* Perform native authz for dav_svn_get_resource(). This call is just
+   * for debugging purposes to trace resource lookups vs. native authz
+   * lookups.
+   */
+  if (dav_svn_get_native_authz_flag(r))
+    {
+      err = dav_svn_check_access(repos_name, repos_path, r,
+                                 svn_authz_read|svn_authz_generic);
+      if (err)
+        return err;
+    }
+#endif
+
+  ap_log_rerror (APLOG_MARK, APLOG_INFO, 0, r,
+                 "dav_svn_get_resource(): %s %s %s (%s)",
+		 (r->user ? r->user : "-"),
+		 r->method, repos_path, r->uri);
+#endif
+
   /* The path that we will eventually try to open as an svn
      repository.  Normally defined by the SVNPath directive. */
   fs_path = dav_svn_get_fs_path(r);
@@ -2911,6 +2932,17 @@
                          "MKCOL called on regular resource, but "
                          "autoversioning is not active.");
 
+  /* Path-based authorization: MKCOL requires write access to the
+   * parent directory of the new resource.
+   */
+  err = dav_svn_check_access(resource->info->repos->repo_name,
+                             get_parent_path(resource->info->repos_path,
+                                             resource->pool),
+                             resource->info->r,
+                             svn_authz_write);
+  if (err)
+    return err;
+
   /* ### note that the parent was checked out at some point, and this
      ### is being preformed relative to the working rsrc for that parent */
 
@@ -2986,6 +3018,26 @@
                          "COPY called on regular resource, but "
                          "autoversioning is not active.");
 
+  /* Path-based authorization: COPY requires recursive read access
+   * to the source resource and write access to the parent directory
+   * of the destivation resource.
+   */
+
+  err = dav_svn_check_access(src->info->repos->repo_name,
+                             src->info->repos_path,
+                             src->info->r,
+                             svn_authz_read|svn_authz_recursive);
+  if (err)
+    return err;
+
+  err = dav_svn_check_access(dst->info->repos->repo_name,
+                             get_parent_path(dst->info->repos_path,
+                                             dst->pool),
+                             dst->info->r,
+                             svn_authz_write);
+  if (err)
+    return err;
+
   /* Auto-versioning copy of regular resource: */
   if (dst->type == DAV_RESOURCE_TYPE_REGULAR)
     {
@@ -3063,10 +3115,36 @@
   /* Handle activity deletions (early exit). */
   if (resource->type == DAV_RESOURCE_TYPE_ACTIVITY)
     {
+      /* Path-based authorization: DELETE of an activity requires
+       * a global write access to the repository.
+       *
+       * XXX: Given the UUID of an activity is unique and there are
+       * no malicious users, checking for global write access to
+       * the repository on DELETE is not neccesary as it has already
+       * been checked on MKACTIVITY.
+       *   -- arteme
+       */
+      err = dav_svn_check_access(resource->info->repos->repo_name,
+				 NULL, /* global repository access */
+				 resource->info->r,
+				 svn_authz_write);
+      if (err)
+	return err;
+		  
       return dav_svn_delete_activity(resource->info->repos,
                                      resource->info->root.activity_id);
     }
 
+  /* Path-based authorization: DELETE requires recursive write access
+   * to the resource.
+   */
+  err = dav_svn_check_access(resource->info->repos->repo_name,
+			     resource->info->repos_path,
+			     resource->info->r,
+			     svn_authz_write|svn_authz_recursive);
+  if (err)
+    return err;
+
   /* ### note that the parent was checked out at some point, and this
      ### is being preformed relative to the working rsrc for that parent */
 
@@ -3183,6 +3261,26 @@
                          "MOVE only allowed on two public URIs, and "
                          "autoversioning must be active.");
 
+  /* Path-based authorization: MOVE requires recursive write access
+   * to the source resource and write access to the parent directory
+   * of the destivation resource.
+   */
+
+  err = dav_svn_check_access(src->info->repos->repo_name,
+                             src->info->repos_path,
+                             src->info->r,
+                             svn_authz_write|svn_authz_recursive);
+  if (err)
+    return err;
+
+  err = dav_svn_check_access(dst->info->repos->repo_name,
+                             get_parent_path(dst->info->repos_path,
+                                             dst->pool),
+                             dst->info->r,
+                             svn_authz_write);
+  if (err)
+    return err;
+
   /* Change the dst VCR into a WR, in place.  This creates a txn and
      changes dst->info->root from a rev-root into a txn-root. */
   err = dav_svn_checkout(dst,
diff --exclude=.svn -ruN tags/svn-trunk-r20114/subversion/mod_dav_svn/update.c trunk/subversion/mod_dav_svn/update.c
--- tags/svn-trunk-r20114/subversion/mod_dav_svn/update.c	2006-06-21 13:11:01.000000000 +0300
+++ trunk/subversion/mod_dav_svn/update.c	2006-07-17 11:57:06.000000000 +0300
@@ -139,15 +139,29 @@
   /* Build a Version Resource uri representing (rev, path). */
   uri = dav_svn_build_uri(repos, uri_type, rev, path, FALSE, pool);
 
-  /* Check if GET would work against this uri. */
-  subreq = ap_sub_req_method_uri("GET", uri, r, r->output_filters);
-
-  if (subreq)
+  if (dav_svn_get_native_authz_flag(r))
     {
-      if (subreq->status == HTTP_OK)
+      /* Do native auhorization lookup */
+      dav_error *err = dav_svn_check_access(repos->repo_name, path, r,
+                                            svn_authz_read);
+
+      if (! err)
         allowed = TRUE;
 
-      ap_destroy_sub_req(subreq);
+      /* XXX: need to cleanup dav_error? */
+    }
+  else
+    {
+      /* Check if GET would work against this uri. */
+      subreq = ap_sub_req_method_uri("GET", uri, r, r->output_filters);
+
+    if (subreq)
+      {
+        if (subreq->status == HTTP_OK)
+          allowed = TRUE;
+
+        ap_destroy_sub_req(subreq);
+      }
     }
 
   return allowed;
diff --exclude=.svn -ruN tags/svn-trunk-r20114/subversion/mod_dav_svn/version.c trunk/subversion/mod_dav_svn/version.c
--- tags/svn-trunk-r20114/subversion/mod_dav_svn/version.c	2006-06-21 13:11:01.000000000 +0300
+++ trunk/subversion/mod_dav_svn/version.c	2006-07-17 16:54:57.000000000 +0300
@@ -247,6 +247,16 @@
   dav_error *derr;
   dav_svn_uri_info parse;
 
+  /* Path-based authorization: CHECKOUT requires write access
+   * to the resource.
+   */
+  derr = dav_svn_check_access(resource->info->repos->repo_name,
+                              resource->info->repos_path,
+                              resource->info->r,
+                              svn_authz_write);
+  if (derr)
+    return derr;
+
   /* Auto-Versioning Stuff */
   if (auto_checkout)
     {
@@ -1333,7 +1343,18 @@
                                          const apr_xml_doc *doc,
                                          ap_filter_t *output)
 {
-  int ns = dav_svn_find_ns(doc->namespaces, SVN_XML_NAMESPACE);
+  int ns;
+  dav_error *err;
+
+  /* Path-based authorization: REPORT requires read access to the resource */
+  err = dav_svn_check_access(resource->info->repos->repo_name,
+                             resource->info->repos_path,
+			     r,
+			     svn_authz_read);
+  if (err)
+    return err;
+
+  ns = dav_svn_find_ns(doc->namespaces, SVN_XML_NAMESPACE);
 
   if (doc->root->ns == ns)
     {
@@ -1408,7 +1429,17 @@
                                   "DAV:activity-collection-set property.",
                                   SVN_DAV_ERROR_NAMESPACE,
                                   SVN_DAV_ERROR_TAG);
-   
+
+  /* Path-based authorization: MKACTIVITY needs global write access
+   * to the repository.
+   */
+  err = dav_svn_check_access(resource->info->repos->repo_name,
+                             NULL, /* global repository access */
+                             resource->info->r,
+                             svn_authz_write);
+  if (err)
+    return err;
+
   err = dav_svn_create_activity(resource->info->repos, &txn_name,
                                 resource->pool);
   if (err != NULL)
