Hi Ivan,
I committed to drafting some change notes for this change quite some time ago.
- Below is a draft of a section to include in Release Notes. I suggest just after "In repository authz".
- Patch contains line for CHANGES
- Patch contains clarification and new example for mod_authz_svn INSTALL file.
Hope I got the patch right.
Thanks,
Thomas Å.
Release notes below:
Filtering "Collection of Repositories" based on authz
When Apache is configured with the SVNParentPath directive, the "Collection of Repositories" list will now be filtered based on read access to the root of each repository. Up to now, all repositories were included in the list even if navigating to a repository would be forbidden. The "Collection of Repositories" will now be consistent with the directory lists within repositories. This provides an improved user experience by only displaying the repositories of interest to the user.
The access to "Collection of Repositories" is not restricted by mod_authz_svn. In order to require authentication on this location, the location should have "Satisfy All" (default). See examples in INSTALL for mod_authz_svn for additional details.
Index: subversion/mod_authz_svn/INSTALL
===================================================================
--- subversion/mod_authz_svn/INSTALL (revision 1434103)
+++ subversion/mod_authz_svn/INSTALL (working copy)
@@ -56,6 +56,12 @@ II. Configuration
Satisfy Any
Require valid-user
</Location>
+
+ NOTE: The access control is designed to never display entries that
+ the user does not have access to. Combining anonymous access on the
+ top levels while restricting read access lower in the directory
+ structure makes it difficult to browse because the server will not
+ request authentication.
C. Example 3: Authenticated access only
@@ -123,7 +129,7 @@ II. Configuration
restrict access to this authz file and it is in the same repository
you should include a rule for it.
- F. Example 5: Authz file stored inside the repository being accessed.
+ F. Example 6: Authz file stored inside the repository being accessed.
This configuration allows providing a relative path within the
repository being accessed.
@@ -144,6 +150,39 @@ II. Configuration
NOTE: You should include rules in your authz file to restirct access
to the authz file as desired.
+ G. Example 7: Authenticated access to "Collection of Repositories"
+
+ The "Collection of Repositories" is filtered based on read access to
+ the root of each repository, i.e. consistent with the directory lists
+ within repositories. If read access is restricted in repository roots,
+ it is typically desirable to require authentication for "Collection of
+ Repositories" in order to display the repositories.
+
+ This is accomplished by specifying "Satisfy All" (default).
+
+ <Location /svn>
+ DAV svn
+ SVNParentPath /path/to/reposparent
+
+ AuthType Basic
+ AuthName "Subversion repository"
+ AuthUserFile /path/to/htpasswd/file
+
+ AuthzSVNAccessFile /path/to/access/file
+ # Implicit Satisfy All
+ Require valid-user
+ </Location>
+
+ If the same server must be able to serve paths with anonymous access,
+ it can be defined by an additional location (Require statement not
+ needed but included for clarity).
+
+ <LocationMatch "^/svn/.+">
+ Satisfy Any
+ Require valid-user
+ </LocationMatch>
+
+
2. Specifying permissions
The file format of the access file looks like this:
Index: CHANGES
===================================================================
--- CHANGES (revision 1434103)
+++ CHANGES (working copy)
@@ -39,7 +39,7 @@ http://svn.apache.org/repos/asf/subversion/tags/1.
* 'svn propset' checks spelling of reserved property names.
- Client-side bugfixes:
- *
+ * SVNParentPath / Collection of Repositories filtered based authz (r1408184)
- Server-side bugfixes:
*
Received on 2013-01-16 19:55:16 CET