[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Howto: user-level permissions on Windows?

From: Benjamin C. Allfree <benles_at_bldigital.com>
Date: 2005-02-01 16:21:30 CET

Thanks, this is very helpful!


SVN would need a pre-checkout hook to limit read access. As it is now, we
have to use separate repositories to accomplish that.






From: Butlin, Jason (UK - Epsom) [mailto:jbutlin@deloitte.co.uk]
Sent: Tuesday, February 01, 2005 1:43 AM
To: Benjamin C. Allfree; users@subversion.tigris.org
Subject: RE: Howto: user-level permissions on Windows?


It depends what sort of access restrictions you want. I don't believe you
can limit the read access on a folder by folder basis, but you can limit the
ability to commit to certain folders.


What you need to do is create a pre-commit hook for the repository in
question. This will then check the user performing the commit, check the
files being committed, and only allow the process to continue if the user
has access to all the relevant folders. There is mention of this in the
documentation, and an example Perl script that does exactly what you want in
the SVN repository.


Unfortunately, all the examples are based on Unix/Linux, which can actually
run Perl properly - unlike Windows. So for the benefit of and Windows users
out there....


Firstly, you need to install a Perl interpreter on the SVN server machine,
such as http://www.activestate.com/Products/ActivePerl/


You then need to place the attached batch file into the hook sub-directory
of the repository to be controlled, changing the references to drives and
the script location accordingly. You'll notice that a number of files get
created to the root of G: in my case. This is necessary because Perl on
Windows cannot fork the look process correctly. So I got round the problem
getting the batch file to create these temporary files, which the Perl
script can then read.


You then need to place the attached Perl script into the directly that
matches the call from the batch file. This is basically the same script
provided as an example with the SVN source code, but with changes to read
the temporary file and work under Windows


Last step. You now need to create the file that holds the security
information. Unfortunately, I've removed all the comments from my file, but
it's fairly straight forward to work out the format. Create a file in the
root of the repository to be protected called commit-access-control.cfg. In
this file, you can create a number of ini sections with the following format

   [unique name]

   match = sed_style_matching_string

   users = user1

   users = user2

   access = read-write or read-only


Here's a few entries from my cfg file


[Global Read-Only]
match = .*
access = read-only


[Give administrators global access]
match = .*
users = jbutlin
access = read-write


[Allow writing to the Installation Trunk]
match = ^Installation/Trunk
access = read-write



Hope that helps






-----Original Message-----
From: Benjamin C. Allfree [mailto:benles@bldigital.com]
Sent: 31 January 2005 03:41
To: users@subversion.tigris.org
Subject: Howto: user-level permissions on Windows?



I see that Subversion's stand-alone server allows for repository-level
permissions, but is there a way to do user-level permissions on Windows
without running Apache? I want to restrict access to certain project folders
within the same repository.






If you have received this e-mail in error or wish to read our e-mail
disclaimer statement and monitoring policy, please refer to the statement
below or contact the sender.

This communication is from Deloitte & Touche LLP. Deloitte & Touche LLP is
a limited liability partnership registered in England and Wales with
registered number OC303675. A list of members' names is available for
inspection at Stonecutter Court, 1 Stonecutter Street, London EC4A 4TR,
United Kingdom, the firm's principal place of business and registered
office. Deloitte & Touche LLP is authorised and regulated by the Financial
Services Authority.

This communication and any attachments contain information which is
confidential and may also be privileged. It is for the exclusive use of
the intended recipient(s). If you are not the intended recipient(s) please
note that any form of disclosure, distribution, copying or use of this
communication or the information in it or in any attachments is strictly
prohibited and may be unlawful. If you have received this communication in
error, please return it with the title "received in error" to
<mailto:IT.SECURITY.UK@deloitte.co.uk> IT.SECURITY.UK@deloitte.co.uk then
delete the email and destroy any copies of it.

E-mail communications cannot be guaranteed to be secure or error free, as
information could be intercepted, corrupted, amended, lost, destroyed,
arrive late or incomplete, or contain viruses. We do not accept liability
for any such matters or their consequences. Anyone who communicates with us
by e-mail is taken to accept the risks in doing so.

 When addressed to our clients, any opinions or advice contained in this
e-mail and any attachments are subject to the terms and conditions expressed
in the governing Deloitte & Touche LLP client engagement letter.

Opinions, conclusions and other information in this e-mail and any
attachments which do not relate to the official business of the firm are
neither given nor endorsed by it.
Received on Tue Feb 1 16:24:22 2005

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.