Issue(?) with mod_dav_svn and requiring access to $reporoot
From: Tony Stevenson <pctony_at_apache.org>
Date: Mon, 21 May 2012 22:00:00 +0100
So,
Earlier today I was asked to open a few children from a repo that is essentially close by default.
This setup allows commits only via an https vhost, ad this is working perfectly. The http vhost is configured to not allow read-only access to the entire repo (as is the case with the main ASF repo).
REPOROOT = /x1/source.caret.cam.ac.uk/repos/svn
We do not want to make the webroot publicly readable, but we did want to make publicchild publicly readable. The only way I could make this happen, was to use the config below. Basically we had to allow "GET OPTIONS PROPFIND REPORT" for the WEBROOT. You can see, that we then do go on to explicitly deny all but a couple of options to prevent listing the entire repo.
With this it seems that dav_svn needs access to the root of the repo to be able to list contents of child folders.
If we take away "GET REPORT" from WEBROOT, and then goto PUBLIC child it will display an emtpy folder. But you can enter the name of a subfolder in the browser, and that will also open, again with no contents.
## For child objects to be able to be publicly readable, the root also needs to be readable.
## This block will make sure that the contents of these directories cannot be enumerated publicly.
<Location /svn/projects/talks.cam>
-- Cheers, Tony --------------------------------------------------------------- Tony Stevenson tony_at_pc-tony.com // pctony_at_apache.org // tony_at_caret.cam.ac.uk GPG: 1024D/51047D66 http://blog.pc-tony.com ---------------------------------------------------------------
|
This is an archived mail posted to the Subversion Dev mailing list.
This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.