[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Per-Directory Access Control without AuthzSVNAccessFile ?

From: Jani Averbach <jaa_at_jaa.iki.fi>
Date: 2005-05-26 01:59:51 CEST

On 2005-05-25 18:33+0200, Maurer, Hermann wrote:
> At the moment, the following block in the httpd.conf is responsible for
> the repository:
> --------------------------------httpd.conf------------------------------
> <Location /projects/REPO>
> DAV svn
> SVNPath /data/svn/projects/REPO
> allow from all
> AuthName "Access to the repository REPO"
> AuthLDAPEnabled on
> AuthLDAPURL "ldap://host.domain/dc=company,dc=com?cn?sub?"
> require group CN=svn_REPO,OU=groups,OU=city,DC=company,DC=com
> AuthzSVNAccessFile /data/svn/projects/REPO_access.conf
> </Location>
> --------------------------------httpd.conf------------------------------
> As you can see, the users must supply there credentials and be a member
> of the LDAP Group svn_REPO to be able to access to REPO.
> ...
> The anonymous access is not for us: If I use '* = r' in the file
> REPO_access.conf, EVERY user can get access to REPO (not to DIR1) !
> So in the case I must not be a member of the LDAP Group svn_REPO :-(

No, this is wrong, only users who are authorized by to be a part of
your ldap-group are allowed to see your /projects/REPO mapping at
all. After that it is checked if they could see a part of repository by
AuthzSVNAccess. Try it! =)

> ____How should I restrict the access to DIR1 correctly and, if possible,
> without AuthzSVNAccessFile ?____

I think it is still easier that you revoke access rights to the DIR1
for all, and grant them back to the management group.

> The second problem is the following:
> Let's assume, a PM decides to create a new branche and saves this in
> BRANCHES. This would result, that I'd need to build a new rule to deny
> access to the 'copied' content of DIR1 in BRANCHES ! Otherwise D can
> suddenly get access to DIR1 under BRANCHES. The same would happen with
> TAGS. Unforutnately there is no chance to use patterns in
> REPO_access.conf now. Due to the reason I have to forbid the full access
> of @team to BRANCHES and TAGS :-(
> [/branches]
> @team =
> @manager = rw
> But this is painful. Has anybody had and solved the problem ?

How about if you create a second tree outside of actual trunk, where
this DIR1 could live, and therefore it would be tagged and branched
with different tree? Is this unacceptable? It would be really nice, if
SVN had real in tree ACLs, but it doesn't.

BR, Jani

Jani Averbach
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu May 26 02:01:48 2005

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.