[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

per directory access control issue on multiple repository with Apache

From: Denis SAGET <geodni_at_free.fr>
Date: 2007-05-24 17:19:12 CEST

Hello, I'm having trouble with fine grain permissions on a Per-Directory
Access Control and multiple subversion repositories under apache.

I use subversion-1.4.3_2, neon-0.26.3, apache-2.0.59, db4-4.0.14_1,1
under FreeBSD 5.5-STABLE on a standard PC. The URLs looks like
https://svn.domain.com/myrepo or https://svn.domain.com/otherrepo. The
server runs fine since 2 years, I don't have any problem with multiple
repos. Today, I must give read/write acces to some users and no access
to everybody on a subdirectory of one repository.

I must give everybody read access (comment the line like "#*=" or give
"*=r" to the subdir repo in authz file) to give the write permission for
authenticated users to a subdirectory [myrepo:/myrepo-coreV1] in this
repository. If I don't give everybody read permission, only the admin
group can read/write anything. All other rules in each subdir inside
"myrepo" and the "otherrepo" work great.

Some apache logs

[Thu May 24 14:24:25 2007] [error] [client 10.0.0.112] Access denied: -
GET myrepo:/myrepo-coreV1, referer: https://svn.domain.com/myrepo/

I noticed that you cannot use the "LimitExcept" directive if there is
"*=" in the authz file for one repository. Is it documented somewhere.

Here are the elements of the config:

Apache:
=======

    <Location /myrepo>
        DAV svn
        SVNPath /home/www/domain.com/svn/repos/myrepo
        AuthzSVNAccessFile /home/www/domain.com/svn/conf/global_authz
        Satisfy Any
        # Limit write permission to list of valid users.
        <LimitExcept GET PROPFIND OPTIONS REPORT>
            Require valid-user
            AuthType Basic
            AuthName "Subversion myrepo Repositories"
            AuthUserFile /home/www/domain.com/svn/conf/svn_users
        </LimitExcept>
    </Location>
    <Location /otherrepo>
        DAV svn
        SVNPath /home/www/domain.com/svn/repos/otherrepo
        AuthzSVNAccessFile /home/www/domain.com/svn/conf/global_authz
        Require valid-user
        AuthType Basic
        AuthName "Subversion otherrepo Repositories"
        AuthUserFile /home/www/domain.com/svn/conf/svn_users
    </Location>

global_authz:
=============

[groups]
admin = myusername
myrepocontrib = user1, user2, user3
myrepoV1contrib = user1, user2
otherrepo = user1, user4, user5

[/]
@admin = rw
* =

[myrepo:/]
@admin = rw
@myrepocontrib = rw
* = r

[rmyrepo:/myrepo-core/taglib]
@admin = rw
@myrepocontrib = rw
user4 = rw
* = r

[myrepo:/myrepo-coreV1]
@admin = rw
@myrepoV1contrib = rw
#* =

[otherrepo:/]
@admin = rw
@otherrepo = rw
* =

Does anybody get some idea where I would have make a mistake or
something else ? I search on the Internet for a long time but I did not
find anything to explain it.

Thanks for any help.

Geodni

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu May 24 17:17:09 2007

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.