[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

authz woes

From: Christoph Ludwig <ludwig_at_fh-worms.de>
Date: 2007-08-14 14:47:58 CEST

Hi,

I use subversion 1.4.4 (with Apache httpd 2.2.4) on a Linux machine. (I pasted
the relevant excerpt from my vhost configuration at the end of this mail.)
I have a repository named "test" and an authz file with the following content:

  [/]
  * =
  Alice = rw
  Bob = r
  Oskar =

  [/dir1/dir1_1/]
  Bob = rw

  [/dir1/dir1_2/]
  Oskar = r

  [/dir2/]
  Alice =

The description in
<URL:http://svnbook.red-bean.com/nightly/en/svn.serverconfig.pathbasedauthz.html>
made me expect that Alice can checkout every folder except /dir2. However:

  cludwig_at_testserver:~$ /opt/subversion-1.4.4/bin/svn co --username Alice --no-auth-cache https://testserver.fh-worms.de:8443/svn/test/TRUNK/ trunk_alice
  Authentication realm: <https://testserver.fh-worms.de:8443> subversion repositories
  Password for 'Alice':
  A trunk_alice/dir1
  A trunk_alice/dir1/dir1_1
  A trunk_alice/dir1/dir1_1/file_a
  A trunk_alice/dir1/dir1_2
  A trunk_alice/dir1/dir1_2/file_b
  A trunk_alice/dir2
  A trunk_alice/dir2/file_c
  Checked out revision 1.

Alice can checkout /dir2 without problems. (She can even commit modifications
in /dir2.

Now to Bob. Bob can read / checkout everything as expected. But
any attempt to checkin a changed file results in a "403 Forbidden"
error, even in /dir1/dir1_1:

  cludwig@testserver:~/trunk_bob/dir1/dir1_1$ echo test_bob > file_a
  cludwig@testserver:~/trunk_bob/dir1/dir1_1$ /opt/subversion-1.4.4/bin/svn ci -m 'Can Bob write to /dir1/dir1_1 ?' --username Bob --no-auth-cache
  Authentication realm: <https://testserver.fh-worms.de:8443> subversion repositories
  Password for 'Bob':
  Sending dir1_1/file_a
  svn: Commit failed (details follow):
  svn: CHECKOUT of '/svn/test/!svn/ver/2/TRUNK/dir1/dir1_1/file_a': 403 Forbidden (https://testserver.fh-worms.de:8443)

Finally, my intention was that Oskar has full access to /dir1/dir1_2/, but to
no other folder. I know that (some) previous subversion releases required read
access to / if one wanted any access to a subfolder, but I thought this
restriction was lifted in 1.4. However, Oskar cannot even checkout
/dir1/dir1_2/:

  cludwig_at_testserver:~$ /opt/subversion-1.4.4/bin/svn co --username Oskar --no-auth-cache https://testserver.fh-worms.de:8443/svn/test/TRUNK/dir1/dir1_2 dir1_2_oskar
  Authentication realm: <https://testserver.fh-worms.de:8443> subversion repositories
  Password for 'Oskar':
  svn: PROPFIND request failed on '/svn/test/TRUNK/dir1/dir1_2'
  svn: PROPFIND of '/svn/test/TRUNK/dir1/dir1_2': 403 Forbidden (https://testserver.fh-worms.de:8443)

It seems either I completely misunderstood how path based access control is
supposed to work or there is some bug... I'd appreciate any help.

Regards

Christoph

Apache configuration excerpt:

    <IfModule mod_dav_svn.c>

        <Location /svn/>
            DAV svn
            
            # the "test" repository is in /srv/svn/test
            SVNParentPath /srv/svn/

            # Don't ask for client certificates
            SSLVerifyClient none

            # Authenticate by a simple password file.
            AuthName "subversion repositories"
            AuthType basic
            AuthUserFile /srv/svn/test/conf/httpd.passwd

            #################
            # Authorization #
            #################

            # try anonymous access first, resort to real
            # authentication if the authorization policy
            # makes it necessary.
            satisfy any
            require valid-user

            # authorization policy file
            AuthzSVNAccessFile /srv/svn/test/conf/authz

        </Location>

        <Directory /srv/svn>
            Options +Indexes +Multiviews -FollowSymLinks
            IndexOptions FancyIndexing \
            ScanHTMLTitles \
            NameWidth=* \
            DescriptionWidth=* \
            SuppressLastModified \
            SuppressSize

            order allow,deny
            allow from all
        </Directory>

    </IfModule>

-- 
FH Worms - University of Applied Sciences
Fachbereich Informatik / Telekommunikation
Erenburgerstr. 19, 67549 Worms, Germany
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Aug 14 14:48:11 2007

This is an archived mail posted to the Subversion Users mailing list.