Hi!
I would like to report a bug (IMHO it is one) for mod_dav_svn in conjunction with
apache-2.2.11. Could you please confirm this behaviour?
Consider the following folder structure inside the repository in folder REPO:
/ROOT
|-- Some
|-- Folder
|-- Stuff
| |-- SomeTextFile.txt
|
|-- Secrets
|-- SecretData.txt
My basic apache configuration is as follows:
--snip--
RedirectMatch ^(/svn)$ $1/
<Location /svn>
DAV svn
SVNParentPath D:\Somewhere
SVNListParentPath on
RedirectMatch 404 ^/(MSOffice/|_vti_bin/|_vti_inf.html$)
BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "Microsoft-WebDAV-MiniRedir/5.1.2600" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS" redirect-carefully
SVNAutoversioning On
SVNReposName "Subversion Repository"
AuthType Basic
AuthName "Subversion Repository"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPBindDN "CN=adminaccount,OU=ServiceAccounts(non-elevated),OU=Operators,DC=EXAMPLE,DC=COM"
AuthLDAPBindPassword Password
AuthLDAPURL "ldap://ldapserver:3268/?sAMAccountName?sub" NONE
Order deny,allow
Deny from all
</Location>
--snip--
The goal of my Apache ACL configuration is to let user Marcel
have access to the stuff in directory "Stuff", and let other users
have access to all the data.
So I have the following ACL configuration:
--snip--
# This here I hope to be fine, please comment
<Location ~ ^/svn/.+/!svn>
Satisfy Any
Require valid-user
</Location>
# Next line is the trouble line
<Location ~ (?i)^/svn/REPO/ROOT>
Satisfy Any
Require ldap-group CN=SOMEGROUP,OU=Distribution Groups,OU=User Accounts,DC=EXAMPLE,DC=COM
Require ldap-attribute distinguishedName="CN=Doe\, John,OU=User Accounts,DC=EXAMPLE,DC=COM"
</Location>
<Location ~ (?i)^/svn/REPO/ROOT/Some/Folder/Stuff>
Satisfy Any
Require ldap-attribute distinguishedName="CN=Marcel,OU=User Accounts,DC=EXAMPLE,DC=COM"
</Location>
--snip--
Everything works as expected:
Marcel can use tortoisesvn, enter the url
http://server/svn/REPO/ROOT/Some/Folder/Stuff
and check out/check in data as planned.
Any other acces to the repo is rejected. Fine.
Now I change the configuration in one minor aspect:
"<Location ~ (?i)^/svn/REPO/ROOT>" is replaced by
"<Location ~ (?i)^/svn/REPO>"
and now Marcel no longer has access to
http://server/svn/REPO/ROOT/Some/Folder/Stuff
Note that this rule does not mention Marcel at all.
This led to some headache at my place.
To make things worse the "working" solution does not seem to scale.
Our production environment could not be "healed" by adding
dummy access rules to second level directories.
There is some weird interaction between multiple <Location> rules,
but I cannot figure out what exactly happens and when.
Could you please check whether you can reproduce this behaviour?
Could you please explain what is going on?
best regards,
Markus
________________________________________________________________
Neu: WEB.DE Doppel-FLAT mit Internet-Flatrate + Telefon-Flatrate
für nur 19,99 Euro/mtl.!* http://produkte.web.de/go/02/
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2383644
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-08-14 17:11:27 CEST