Rainer Sokoll wrote:
> Hi all,
>
> (I've read through authz: what has precedence when user..., but this
> does not cover my problem, I think.)
>
> svn 1.3.1 running as an apache DSO.
> Access to the entire webserver ony for authenticated users.
>
> Snipplet from httpd.conf:
> </Location>
> <Location /foo/>
> Include conf/subversion.conf
> SVNParentPath /svn/svn/foo
> AuthzSVNAccessFile conf/svnaccess/svnaccess.foo
> AuthName "Access to HR area"
> </Location>
>
> Snipplet from subversion.conf:
> DAV svn
> SVNIndexXSLT "/svnindex.xsl"
> SVNListParentPath on
> AuthType Basic
> [AuthLDAP stuff]
> require valid-user
>
> Now for svnaccess.foo:
> [groups]
> restrictgroup = external1, external2
> agroup = internal1, internal2
> [/]
> @restrictgroup =
> * = r
> [aproject:/]
> @agroup = rw
>
> I would think:
> 1.: external1 end external2 are not alllowed to see the root ([/]).
> 2.: As access controls are inherited, both also cannot see aproject.
> But they see all :-(
>
> If I use this:
> [aproject:/]
> @restrictgroup =
> @agroup = rw
>
> external1 and external2 cannot access aproject. But I do not want to
> use this, since I have a lot of projects and sometimes I may forget
> to deny access.
> What I want to have: members of restrictgroup shall only see a certain
> directory in a certain project. They also must not read the root
> (SVNParentPath).
> How would you do this?
The problem (which has been pretty soundly discussed in the thread you
mention) is that the "* = r" line grants read access to everyone, even
those in restrictgroup. To get around this, you have to currently do
something like your last example, where you define a group that includes
everyone but your restricted users, and grant read access to that group,
rather than doing global read.
-David
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue May 23 16:00:42 2006