[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Limiting permission's

From: Johan Corveleyn <johan.corveleyn_at_uz.kuleuven.ac.be>
Date: Wed, 17 Jun 2009 01:15:15 +0200

> -----Oorspronkelijk bericht-----
> Van: Patricia A Moss [mailto:pmoss4_at_csc.com]
> Verzonden: donderdag 11 juni 2009 19:08
> Aan: users_at_subversion.tigris.org
> Onderwerp: RE: Limiting permission's
>
>
> Can anyone lend an understanding to this
>
> Here is my config file.
>
> <AuthnProviderAlias ldap ldap-FCGNET>
> AuthLDAPBindDN FCGNET\svnaccount
> AuthLDAPBindPassword svnpasswd
> AuthLDAPURL
> ldap://servername:3268/DC=domainname,DC=com?samAccountName?sub?(objectC
> ategory=person)
> </AuthnProviderAlias>
>
> <Location /zorch>
> dav svn
> SVNPath /disk01/home/zorch
> AuthType Basic
> AuthBasicProvider ldap-FCGNET
> AuthName "CSC Subversion Repository"
> AuthzLDAPAuthoritative off
> Require valid-user
> ##
> # Allows group to have read access to the repository
> <Limit GET PROPFIND OPTIONS REPORT>
> Require ldap-group CN=PRJ FP-
> Development,OU=U.S.,OU=Groups,DC=domainname,DC=com
> </Limit>
> # Allows group to have write access to the repository
> <LimitExcept GET PROPFIND OPTIONS REPORT>
> Require ldap-group CN=PRJ FP-
> Development,OU=U.S.,OU=Groups,DC=domainname,DC=com
> </LimitExcept>
> </Location>
>
> It is my understanding that "<Limit GET PROPFIND OPTIONS REPORT>" and
> <LimitExcept GET PROPFIND OPTIONS REPORT>" are used to distiguish
> between read only permission's and read/write permissions. Is this
> correct?
>
> Do I need the "AuthBasicProvider ldap-FCGNET" entry?
> It seems that with it included ANY FCGNET account has access to the
> repository.
>
> Also, I was under the impression that the "Require ldap-user " entry
> was what would need to be added to give a single user access to the
> repository. However, when I include the entry I still do not have
> access to the repository.

A bit late to help maybe, but nonetheless ...

I think you misunderstand the Limit and LimitExcept directives. These are Apache directives, and you can find what they mean at http://httpd.apache.org/docs/2.2/. They can be used to limit access (read/write) for groups of people to the repository as a whole (you can't use them to do "path-based authorization")

You have to understand that the HTTP (WEBDAV) methods GET, OPTIONS, PROPFIND and REPORT are the ones that SVN uses to read stuff. To write stuff it also needs access to other methods, like PUT, DELETE, ...

The Limit section literally says: apply the underlying restrictions to the listed methods.
The LimitExcept section literally says: apply the underlying restrictions to any http method, *except* to the listed methods.

The way you have it configured, you really say:
- restrict access to SVN's read methods to group CN=PRJ FP-Development,...
- restrict access to all other methods to that same group

That's why the post of Jason Malinowski is correct: you could just as well put the restriction of this group in the Location block itself.

So I guess in the end, I don't understand what you're trying to do, and what is going wrong (not as expected).
If you want everyone to have read access, but only your special group to have write access, you should just remove the "Limit" block from the config sample you posted. The "LimitExcept" block with the "Require ldap-group" will make sure that all write methods (i.e. all of them except get, propfind, options and report) are restricted to that group.

Hope this helps...
Regards,
Johan

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2362647

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-06-17 01:16:22 CEST

This is an archived mail posted to the Subversion Users mailing list.