Somehow my first message didn't get sent to the list.. I'll copy it
Further to my previous message, I'd forgotten about mod_authz_svn. I was
searching through my printed copy of the subversion book (too old to
have it in) and couldn't find the 'bit about the subversion-side access
file thingy'. I concluded I had been dreaming and what I was looking for
only applied to svnserve.
Two minutes after sending my last message ... I stumble across it.
Don't ignore what I said .. just most of it. Instead read
And scroll down to the bit about AuthzSVNAccessFile
Another example access file:
The docs aren't all that mature yet... but it looks sound.
Original message (went direct to Greg)
Subversion does not *rely* on the underlying file system for access
control, although this is of course still important as part of
If you disallow access via direct file access, and allow the students
access only through HTTP, you should be able to use Apache's access
control for the lot. Use an htgroups/htusers/htpasswd file for the
If you used just one repository:
so your starting point is http://server/svnrepos/trunk/ - allow
everyone read, instructors write
Team 1's work: http://server/svnrepos/branch/team1/ - allow team1
read/write, instructor read.
You shouldn't need to use *nix file permissions at all, and you don't
even need to use groups, except perhaps for the instructors. If you use
a repository per team, then things are even easier - but each
team/student gets a complete copy of the project, not a cheap
I'm hardly an Apache expert and even less an SVN expert, but this
principle should work. The main problem I see here is that all the
Subversion documentation up to this point applies permission on a
per-repository basis, so it isn't too helpful for a newcomer to work out
how to do individual branch security like this.
(I had written some Limit/LimitExcept-based attempt on security, but
SVNAuthZAccessFile just wipes it away)
In fact, I'm rather interested in this whole thing, since I was
wondering how to secure different projects in a single repository or
whether to use svn:external properties and do the whole repository at
once. At the moment we're not using Subversion for production use, and
so basically the whole team has blanket access to the whole thing. The
critical projects are still in SourceSafe (where access control isn't
much better but at least all the tools are mature .. until Subway grows
up a bit more <hopeful smile>)
Hope this helps, and hope someone else helps ...
Walter Nicholls (firstname.lastname@example.org)
Cornerstone Software Ltd (www.cornerstone.co.nz)
To unsubscribe, e-mail: email@example.com
For additional commands, e-mail: firstname.lastname@example.org
Received on Fri Aug 1 01:22:09 2003