Setting up repository to not allowed checkout on a directory

I know there are many posts on how to restrict access to a directory and
I'm following theirs and the SVN book advices, but still it doesn't
work.

My repository contains a directory for every version of the product we
currently support. For reasons beyond the scope of this email we do not
want anybody, but user svn, to be able to do anything, even checkout,
the latest version.

I'm using Apache 2.0 and Subversion 1.4.4 on a Linux 2.6 box.

The Subversion configuration I Apache is as follows

# Needed to do Subversion Apache server.
LoadModule dav_module modules/mod_dav.so
LoadModule dav_svn_module modules/mod_dav_svn.so

# Only Needed if you decide to do "per-directory" access control.
LoadModule authz_svn_module modules/mod_authz_svn.so

# Set the log format
CustomLog logs/subversion.log "%t %u@%h %U %{SVN-ACTION}e"
env=SVN-ACTION

<Location /svn-test>
   DAV svn
   SVNPath /data/TestRepositories/svn-test

   # Access Control Policy
   AuthzSVNAccessFile /etc/httpd/etc/svn-test.access

   # How to authenticate a user
   AuthType Basic
   AuthName "Subversion Testing Repository"
   AuthUserFile /etc/httpd/etc/passwd-svn-test

   # For any operations other than these , require an authenticated user
   <LimitExcept GET PROPFIND OPTIONS REPORT>
      Order deny,allow
      Require valid-user
   </LimitExcept>
</Location>

And the access policy file is as follows

[svn-test:/]
* = rw

[svn-test:/5.02]
gtroccol =

I thought this configuration allowed all access to everybody, but
restrict gtroccol from any access to 5.02. Eventually I will make user
of the groups, but I want to make it works first.

But if I check-out svn-test as gtroccol I still have the 5.02 directory.

I had a look at the log file produced by Apache and I found this line:

[16/Jan/2008:10:05:21 +0000] -_at_10.112.11.47 /svn-test/!svn/vcc/default
checkout-or-export '/'

It seems that Apache doesn't know who is checking-out and therefore
treats it as an anonymous access, thus allowing the check-out for 5.02.
However, when I commit I cannot because I am not allowed:

Sending 5.02/test/uno
svn: Commit failed (details follow):
svn: CHECKOUT of '/svn-test/!svn/ver/7/5.02/test/uno': 403 Forbidden
(http://ln1sub01)

Instead, I can commit changes in the other directories

This is in a way understandable. I had a browse through the Apache log
file and the only time when a user is present is when a commit (or a
revprop-change) is done (I was able to check this for other
repositories)

[16/Jan/2008:10:16:30 +0000] gtroccol_at_10.112.11.47 /svn-test/5.00 commit
r25

I know this is probably an Apache question, but I wanted to check with
everyone that uses per-directory access in their repositories whether I
did something blatantly wrong in my configuration, or there is something
I'm missing and that you have learned for experience (and experimenting
maybe).

Regards,
Giulio Troccoli
 
 
Linedata Services (UK) Ltd
Registered Office: Bishopsgate Court, 4-12 Norton Folgate, London, E1 6DB
Registered in England and Wales No 3027851 VAT Reg No 778499447

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-01-16 11:26:06 CET