[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Setting up repository to not allowed checkout on a directory

From: Giulio Troccoli <Giulio.Troccoli_at_uk.linedata.com>
Date: Wed, 16 Jan 2008 10:25:44 -0000

I know there are many posts on how to restrict access to a directory and
I'm following theirs and the SVN book advices, but still it doesn't

My repository contains a directory for every version of the product we
currently support. For reasons beyond the scope of this email we do not
want anybody, but user svn, to be able to do anything, even checkout,
the latest version.

I'm using Apache 2.0 and Subversion 1.4.4 on a Linux 2.6 box.

The Subversion configuration I Apache is as follows

# Needed to do Subversion Apache server.
LoadModule dav_module modules/mod_dav.so
LoadModule dav_svn_module modules/mod_dav_svn.so

# Only Needed if you decide to do "per-directory" access control.
LoadModule authz_svn_module modules/mod_authz_svn.so

# Set the log format
CustomLog logs/subversion.log "%t %u@%h %U %{SVN-ACTION}e"

<Location /svn-test>
   DAV svn
   SVNPath /data/TestRepositories/svn-test

   # Access Control Policy
   AuthzSVNAccessFile /etc/httpd/etc/svn-test.access

   # How to authenticate a user
   AuthType Basic
   AuthName "Subversion Testing Repository"
   AuthUserFile /etc/httpd/etc/passwd-svn-test

   # For any operations other than these , require an authenticated user
      Order deny,allow
      Require valid-user

And the access policy file is as follows

* = rw

gtroccol =

I thought this configuration allowed all access to everybody, but
restrict gtroccol from any access to 5.02. Eventually I will make user
of the groups, but I want to make it works first.

But if I check-out svn-test as gtroccol I still have the 5.02 directory.

I had a look at the log file produced by Apache and I found this line:

[16/Jan/2008:10:05:21 +0000] -_at_10.112.11.47 /svn-test/!svn/vcc/default
checkout-or-export '/'

It seems that Apache doesn't know who is checking-out and therefore
treats it as an anonymous access, thus allowing the check-out for 5.02.
However, when I commit I cannot because I am not allowed:

Sending 5.02/test/uno
svn: Commit failed (details follow):
svn: CHECKOUT of '/svn-test/!svn/ver/7/5.02/test/uno': 403 Forbidden

Instead, I can commit changes in the other directories

This is in a way understandable. I had a browse through the Apache log
file and the only time when a user is present is when a commit (or a
revprop-change) is done (I was able to check this for other

[16/Jan/2008:10:16:30 +0000] gtroccol_at_10.112.11.47 /svn-test/5.00 commit

I know this is probably an Apache question, but I wanted to check with
everyone that uses per-directory access in their repositories whether I
did something blatantly wrong in my configuration, or there is something
I'm missing and that you have learned for experience (and experimenting

Giulio Troccoli
Linedata Services (UK) Ltd
Registered Office: Bishopsgate Court, 4-12 Norton Folgate, London, E1 6DB
Registered in England and Wales No 3027851 VAT Reg No 778499447

To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-01-16 11:26:06 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.