need to restrict a subdirectory from a repo

From: Andreas Hasenack <andreas_at_mandriva.com.br>
Date: 2007-10-02 16:09:16 CEST

Hi,

I need to restrict read access to a directory in a repository. Since I
have a combination of possible access methods, care has to be taken to
cover them all. In particular, I'm concerned with http:// (read-only)
and svn+ssh:// (read-write).

To hide the directory from svn+ssh://, I'm using authz:
svnserve.conf:
[general]
authz-db = authz

authz:
[groups]
private = jsmith
[/]
# I have pre-commit hooks to further restrict write access
* = rw

[packages:/private]
@private = rw
* =

This works for svn+ssh://. Now, I tried http:// access, and even
specifying with a <Location> directive to forbid all access to
the /private location, access still works. Seems authz is overriding it.
My apache conf snippet:
<Location /svn/repos>
DAV svn
SVNPath /var/lib/svn/repositories/packages

        <LimitExcept GET PROPFIND OPTIONS REPORT>
                order deny,allow
                Deny from All
        </LimitExcept>
</Location>

<Location /svn/repos/private>
        Order deny,allow
        Deny from all
        Allow from trusted.host
</Location>

Unless I remove the authz config, I can access the /svn/repos/private
url even with the above Location denying it. Am I doing something wrong
or is this the way it is?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Oct 2 16:10:06 2007

This message: [ Message body ]
Next message: John Peacock: "Re: Pre/Post-processing files on check-in/out"
Previous message: Andy Levy: "Re: Pre/Post-processing files on check-in/out"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]