[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: svn up and per-directory access

From: Gleason, Todd <tgleason_at_impac.com>
Date: Fri, 27 Feb 2009 12:42:48 -0800

> -----Original Message-----
> From: Børre Gaup [mailto:albbas_at_gmail.com] On Behalf Of Børre Gaup
> Sent: Friday, February 27, 2009 3:03 AM
> To: users_at_subversion.tigris.org
> Subject: Re: svn up and per-directory access
>
> Duorastat, guovvamánu 26. b. 2009 19.35.11 Bob Archer čálii:
> > > When I check out the repository as a user allowed to read and write
> > > testdir1,
> > > I only get testdir2 in the myrepository directory, and am not able to
> get
> > > to
> > > it through svn up either.
> > > If I check out testdir1 specifically, then I get it.
> >
> > Ok, if you are cheking out the "repository" (implies root folder to me)
> > that could be the problem.
>
> Yes, that was what I meant :)
>
> > Since your root allows "r" access for all that
> > is the access you get.... as it traverses the folders it doesn't have
> > authentication to get your testdir1.
> >
> > You should check out each folder separately.
> >
>
> But if I want to restrict access to parts of a repository, but allow
> seamless
> access to the whole repository to specific users, then what you suggest
> won't
> work.
>
> In our setup, having the folders with restricted access properly
> integrated
> with the rest of the local sandbox is important. How can we achieve that?

Very carefully? Give out read access to everyone at the root. Deny read access to restricted users while granting it back to users who should have it, on any subdirectory that isn't a parent/grandparent of the desired access directory. Repeat this as needed at each level. Then you minimize the exposure of what these restricted users can read. For example, to give restricted_users access to /foo/bar/baz:

[repo:/]
*=r
# give regular users full control (just an example)
users=rw

[repo:/no]
# restricted users can't touch this
restricted_users=

[repo:/foo/no]
# restricted users can't touch this
restricted_users=

[repo:/foo/bar/no]
# restricted users can't touch this
restricted_users=

[repo:/foo/bar/baz]
# restricted users have full access here
restricted_users=rw

So restricted_users can read the immediate contents of /, /foo, /foo/bar, and can read/write /foo/bar/baz, but they cannot even read any of the specified "no" sibling directories. As long as you keep your real data out of those directories, you should be able to keep restricted_users from even seeing anything they shouldn't.

As to how "seamless" it is for restricted_users to do a checkout at a higher level than /foo/bar/baz, I have no idea. But for the "users" group it should be no trouble.

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1240783

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-02-27 21:45:08 CET

This is an archived mail posted to the Subversion Users mailing list.