[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: mod_authz_svn and branches (copying)

From: Josh Gilkerson <jwg_at_google.com>
Date: 2007-04-30 21:35:31 CEST

I'm not sure how this would interact with mod_authz_svn and the
'special' dav urls, but you could limit access to any url matching
'.*/secret(/.*|)' using apache access control mechanisms. This isn't
bulletproof, but it should help with forgetting to change the
permissions when creating a branch.

You could also set write permission to /branches to read-only for
everyone and then grant permissions on each branch. If it is read-only
for all, creating the branch would require the admin to edit the
permissions file anyway. Hopefully they would see a comment telling
them what needs to be done for the branch.

On 4/30/07, Frank Wallingford <frank.wallingford@technologist.com> wrote:
> Matt Sickler wrote:
> > I would also think that mod_authz_svn would notice that the user trying
> > to copy the protected folder into a branch doesnt have access to read it
> > and would not copy it, but without some experimentation I do not know
> > for sure.
>
> Yes, I believe this is true - only people who have access can copy the
> directory to a tag, so that's not a concern. I saw the code in
> mod_authz_svn.c a few days ago that did this check looking for
> "svn_authz_recursive".
>
> Once it is copied, though, I have to "remember" to restrict permissions
> in the copy, which is what I'm apt to forget.
>
> -Frank
>
> --
> --------------------------------------------
> Frank Wallingford
> frank.wallingford@technologist.com
>

-- 
Josh Gilkerson
Software Engineer
Google, Inc  MV-1600 Plymouth (HQ)
+1 (650) 253-1667 direct
+1 (859) 608-7827 cell
jwg@google.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Mon Apr 30 21:36:02 2007

This is an archived mail posted to the Subversion Users mailing list.