[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: subversion security, everyone can commit, limited to who can delete

From: Frank Gruman <fgatwork_at_verizon.net>
Date: 2005-10-14 20:20:14 CEST

plabonte@gmail.com wrote:
> right but what do I put for the users that I do not want the rights to
> delete?
>
>> If you want to prevent ANYONE from deleting ANYTHING in the
>> repository, try this:
>> <Limit DELETE>
>> </Limit>
>>
>> If you want to allow only certain users to delete, try this:
>> <Limit DELETE>
>> require someuser1
>> </Limit>
>>
>> This will have the effect of LIMITing only those items that appear
>> behind them. Only the user allowed in the REQUIRE directive is going
>> to be able to delete. In your original example, the only thing
>> anyone could do was DELETE. No one could GET or PUT.
>>
> So should I also put a require valid-user somewhere on the outside of
> the <limit> statements...?
>
> something like:
>
> <Location /www/dav/ns32>
> Require user adminuser
> <Limit DELETE>
> Require user deleteuser
> </Limit>
> <Limit GET PROPFIND OPTIONS>
> Require user readuser
> </Limit>
> </Location>
>
>

Here is a sample of a configuration that works for me. I added the
<Limit...> to show you as a reference.

    <Location /code>
      DAV svn
      SVNParentPath /code_repos
      SVNIndexXSLT /svnindex.xsl
      AuthType Basic
      AuthName "Code Repository"

    # AuthUserFile /code_repos/users.list
      AuthPAM_Enabled on
      require valid-user
      AuthzSVNAccessFile /code_repos/access.list
      <Limit DELETE>
        require user username1 username2
      </Limit>
    </Location>

This will require that there be a valid user to do anything in the
repository. However, the only people allowed to delete anything will be
username1 and username2. The read and write access to the repository is
controlled within the SVN (mod_authz_svn) module itself, and I use the
AuthzSVNAccessFile to set those permissions.

Regards,
Frank

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Oct 14 20:24:15 2005

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.