[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Authorization problem

From: Crucius, Wesley <WCrucius_at_sandc.com>
Date: 2005-06-14 23:04:14 CEST

Well, I apologize, I guess... This appears to be partially a caching
problem within the browser on the client side and partially what I think
is a minor bug. If I change svn-access-policies (and save it) from this
(see in context below):
...
[repos2:/proj three]
@apps-swdev = r
...
 
to this:
...
[repos2:/proj three]
@apps-swdev =
...
 
And then hit the refresh button (there are no proxies at work here) on a
browser window that was already open to that path, I still get to see
it's contents, but if I close and re-start the browser, I get access
denied with the same exact URL.
 
Does this surprise or concern anyone? It works fine for me now that I
understand it, but others may have concerns that some policy changes
don't "take effect" immediately.
 
Thanks,
Wes

________________________________

From: Crucius, Wesley [mailto:WCrucius@sandc.com]
Sent: Tuesday, June 14, 2005 11:54 AM
To: users@subversion.tigris.org
Subject: Authorization problem

I am running version 1.1.1 (using Apache on W2k3 server) and having a
problem with my authorization file. What I want is to allow r/w access
to the whole repository except for one directory, where I want r/w
access for one group and then read-only access to a sub-directory of
that directory. Here's an approximation of the structure

http://my-server.com/svn/repos2 <http://my-server.com/svn/repos2>
                               /proj one/...
                               /proj two/...
                               /proj three
                                          /released/...
                                          /trunk/...

So essentially I want to allow read/write access to everything for all
the groups with the following exceptions for "proj three" and it's
"sub-directories":

1. No access to "proj three" for apps-hwdev (they only know hardware
anyway...)
2. read-only access to only the "proj three/released" sub-dir for
apps-swdev (the lowly application developers)
3. read/write access to all of "proj three" for rtos-swdev (the
Real-Time Operating System "gods")

Here's the relavant section of httpd.conf:
<Location /svn/>
    DAV svn
    # Repository location
    SVNParentPath E:/Apache2/svn/
    # Repository Authentication Mechanism
    AuthType Basic
    AuthName "Subversion Repository"
    AuthUserFile etc/svn-auth-file
    AuthzSVNAccessFile etc/svn-access-policies
    Require valid-user
</Location>

And here's svn-access-policies:
[groups]
apps-swdev = user1, user2
apps-hwdev = user3, user4
rtos-swdev = superuser1, superuser2

[repos2:/]
@apps-swdev = rw
@apps-hwdev = r
@rtos-swdev = rw

[repos2:/proj three/]
@apps-swdev =
@apps-hwdev =
@rtos-swdev = rw

[repos2:/proj three/released]
@apps-swdev = r
@apps-hwdev =
@rtos-swdev = rw

But this doesn't seem to work... For example, users in the group
"apps-swdev" can read "/proj three/trunk".

One suspicion that I had was that the spaces needed to be specified as
in URLs (so, "/proj%20three/" instead of "/proj three/"), but that
didn't seem to have any effect. Is there something about the order of
the sections in svn-access-policies?

My interpretation of page 102 of "THE BOOK" tells me that this should
work...
Can anyone help me see the error of my ways?

Thanks,
Wes
Received on Tue Jun 14 23:06:17 2005

This is an archived mail posted to the Subversion Users mailing list.