[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

apache / subversion / access doesn't follow documented rules?

From: Thomas Beale <thomas_at_deepthought.com.au>
Date: 2005-07-23 13:48:55 CEST

Hi,

[platform: server = debian sarge / svn 1.2 / apache 2.0.54; client =
Windows XP; TortoiseSVN 1.2]

I have a number of repostories set up on the server which logically
should have the following kinds of permissions:

        dev1 - anon read, auth required for any modifying operation
        dev2 - anon read, auth required for any modifying operation
        devN - ...etc
        webdev - our website; auth required for read and write

I cannot find any combination of Apache directives to make this work
properly.

First attempt (apache2.conf include file):

        <VirtualHost 1.2.3.4>
           ...
                 <Location />
                 DAV svn
                 SVNParentPath /usr/local/var/svn

                 # authorisation
                 AuthzSVNAccessFile /etc/subversion/access-control

                 # authentication
                 AuthType Basic
                 AuthName "Subversion Repository"
                 AuthUserFile /etc/subversion/authentication

                 # anonymous access rules
                 <LimitExcept GET PROPFIND OPTIONS REPORT>
                         Require valid-user
                 </LimitExcept>
                 </Location>
        </VirtualHost>

This works fine for the devX repositories - users are only challenged
for write operations like commit. But accessing the webdev repository
always results in a "403 forbidden access" - even though in the
access-control file, the permissions are set such that that repository
allows only named users to access in 'r' or 'rw' modes.

This is probably correct behaviour, since the above configuration is
allowing authentication to be bypassed for read-only operations, for all
repositories, so the user isn't authenticated by the time the
access-control settings are looked up.

Next attempt: same as before, but remove the <LimitExcept> lines, i.e.

        Require valid-user

is required for all repositories. Now the webdev repository works
properly, but of course read access to the others requires
authentication, which is a severe annoyance.

Third attempt:

<VirtualHost 1.2.3.4>
         ...
         <Location /webdev>
                 DAV svn
                 SVNPath /usr/local/var/svn/webdev

                 # authorisation
                 AuthzSVNAccessFile /etc/subversion/access-control

                 # only valid users allowed
                 Require valid-user

                 # authentication
                 AuthType Basic
                 AuthName "Subversion Repository"
                 AuthUserFile /etc/subversion/authentication
         </Location>

         <Location />
                 DAV svn
                 SVNParentPath /usr/local/var/svn

                 # authorisation
                 AuthzSVNAccessFile /etc/subversion/access-control

                 # authentication
                 AuthType Basic
                 AuthName "Subversion Repository"
                 AuthUserFile /etc/subversion/authentication

                 # anonymous access rules
                 <LimitExcept GET PROPFIND OPTIONS REPORT>
                         Require valid-user
                 </LimitExcept>
         </Location>
</VirtualHost>

I messed around with SVNParentPath and SVNPath, and also other details
here, but always the same thing - 403 forbidden on the webdev
repository, normal anonymous access on the others. Apache is definitely
matching the "/webdev" in the first Location directive, since I can put
them in the reverse order and then for webdev, I do not have to
authenticate at all (which must be wrong, since the access-control file
always requires it).

This kind of combination of repositories cannot be that strange - does
anyone else have a solution?

- thomas beale

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Sat Jul 23 14:03:25 2005

This is an archived mail posted to the Subversion Users mailing list.