[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Authz on Collection of Repositories

From: Thomas ┼kesson <thomas.akesson_at_simonsoft.se>
Date: Wed, 16 Jan 2013 19:54:35 +0100

Hi Ivan,

I committed to drafting some change notes for this change quite some time ago.

 - Below is a draft of a section to include in Release Notes. I suggest just after "In repository authz".
 - Patch contains line for CHANGES
 - Patch contains clarification and new example for mod_authz_svn INSTALL file.

Hope I got the patch right.

Thomas ┼.

Release notes below:

Filtering "Collection of Repositories" based on authz

When Apache is configured with the SVNParentPath directive, the "Collection of Repositories" list will now be filtered based on read access to the root of each repository. Up to now, all repositories were included in the list even if navigating to a repository would be forbidden. The "Collection of Repositories" will now be consistent with the directory lists within repositories. This provides an improved user experience by only displaying the repositories of interest to the user.

The access to "Collection of Repositories" is not restricted by mod_authz_svn. In order to require authentication on this location, the location should have "Satisfy All" (default). See examples in INSTALL for mod_authz_svn for additional details.

Index: subversion/mod_authz_svn/INSTALL
--- subversion/mod_authz_svn/INSTALL (revision 1434103)
+++ subversion/mod_authz_svn/INSTALL (working copy)
@@ -56,6 +56,12 @@ II. Configuration
            Satisfy Any
            Require valid-user
+ NOTE: The access control is designed to never display entries that
+ the user does not have access to. Combining anonymous access on the
+ top levels while restricting read access lower in the directory
+ structure makes it difficult to browse because the server will not
+ request authentication.
       C. Example 3: Authenticated access only
@@ -123,7 +129,7 @@ II. Configuration
          restrict access to this authz file and it is in the same repository
          you should include a rule for it.
- F. Example 5: Authz file stored inside the repository being accessed.
+ F. Example 6: Authz file stored inside the repository being accessed.
          This configuration allows providing a relative path within the
          repository being accessed.
@@ -144,6 +150,39 @@ II. Configuration
          NOTE: You should include rules in your authz file to restirct access
          to the authz file as desired.
+ G. Example 7: Authenticated access to "Collection of Repositories"
+ The "Collection of Repositories" is filtered based on read access to
+ the root of each repository, i.e. consistent with the directory lists
+ within repositories. If read access is restricted in repository roots,
+ it is typically desirable to require authentication for "Collection of
+ Repositories" in order to display the repositories.
+ This is accomplished by specifying "Satisfy All" (default).
+ <Location /svn>
+ DAV svn
+ SVNParentPath /path/to/reposparent
+ AuthType Basic
+ AuthName "Subversion repository"
+ AuthUserFile /path/to/htpasswd/file
+ AuthzSVNAccessFile /path/to/access/file
+ # Implicit Satisfy All
+ Require valid-user
+ </Location>
+ If the same server must be able to serve paths with anonymous access,
+ it can be defined by an additional location (Require statement not
+ needed but included for clarity).
+ <LocationMatch "^/svn/.+">
+ Satisfy Any
+ Require valid-user
+ </LocationMatch>
    2. Specifying permissions
       The file format of the access file looks like this:
--- CHANGES (revision 1434103)
+++ CHANGES (working copy)
@@ -39,7 +39,7 @@ http://svn.apache.org/repos/asf/subversion/tags/1.
     * 'svn propset' checks spelling of reserved property names.
   - Client-side bugfixes:
- *
+ * SVNParentPath / Collection of Repositories filtered based authz (r1408184)
   - Server-side bugfixes:
Received on 2013-01-16 19:55:16 CET

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.