[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Writing on subfolder requires read access on repository root

From: Geir Engebakken <geir.engebakken_at_edb.com>
Date: Tue, 1 Dec 2009 13:14:46 +0100

Strange. I tested this exactly as shown, and it worked as expected

##################################################
dev1=z1416ge

[test:/]
*=r

[test:/project1]
@dev1 = rw
~dev1 =

##################################################

First I set it up like this and tried to create the project1 folder, and was denied with 403 of course. So I modified temporarily and set up :

[test:/]
*=rw

And got the project1 folder created.

Then removed the w access, like this :

[test:/]
*=r

And created a subfolder in project1, no problem.

You don't have something like

[/]
*=r
In your access file, or some other construct that might be a problem?

Geir
From: Srinivas Peddi [mailto:speddi_at_uscentral.org]
Sent: 30. november 2009 17:53
To: Engebakken Geir; Hyrum K. Wright
Cc: users_at_subversion.tigris.org
Subject: RE: Writing on subfolder requires read access on repository root

Thank you for your reply. I tested this scenario and still not working. When I use construct ~ the group that need access to that project are not able to commit anything and getting "server send unexpected return value (403 forbidden) in response to options" error message.

Here is an example.

[test:/]
* = r

[test:/project1]
@dev1 = rw
~dev1 =

When I give access like this the user in the group dev1 are not able to commit to project1. Can you please test this scenario in your environment.

Srini

________________________________
From: Engebakken Geir [mailto:geir.engebakken_at_edb.com]
Sent: Monday, November 30, 2009 6:08 AM
To: Srinivas Peddi; Hyrum K. Wright
Cc: users_at_subversion.tigris.org
Subject: RE: Writing on subfolder requires read access on repository root

Well I discovered the same problem. So ended up with a scheme that works, although a bit cumbersome. What we do is give all users readaccess to root, and then give rw access to groups on subdirectories.

Since we also want to deny non-authorized users read access to the projects that they are not members of we use the construct ~, which is used to negate the accesseslist. An abstract of our access file will show this better:

Accesses for the entire repos is like this :

[java:/]
*=r
@admin=rw

And so for each project we define accesses as following :

 [java:/xxx/archive]
@admin=rw
@archive=rw
~archive =

~archive= means all users not in archive group are denied access.

Geir
From: Srinivas Peddi [mailto:speddi_at_uscentral.org]
Sent: 23. november 2009 16:56
To: Hyrum K. Wright
Cc: users_at_subversion.tigris.org
Subject: RE: Writing on subfolder requires read access on repository root

Hi,

   Not really. This is issue looks little different from #3242. As I mentioned below looks like it was fixed 1.3.2 (Issue#2486). Am I missing something here. Can anybody help me.

Thanks
Srini

-----Original Message-----
From: Hyrum K. Wright [mailto:hyrum_wright_at_mail.utexas.edu]
Sent: Friday, November 20, 2009 4:32 PM
To: Srinivas Peddi
Cc: users_at_subversion.tigris.org
Subject: Re: Writing on subfolder requires read access on repository root

On Nov 20, 2009, at 3:48 PM, Srinivas Peddi wrote:

> Hi,

>

> Really need help. We are migrating from CVS to SVN. The problem I encountering is it requiring read access at root level even when the user need write access at sub folder/directory level. So unable to restrict access to other folders/directories.

>

> Here are the details:

> SVN Version : 1.6.2

> Implementation : Apache + SVN and Active directory based authentication. (AuthType sspi and using AuthzSVNAccessFile)

> Environment : Windows 2003 server

>

> /

> /Project1

> /Subproject1

> /Project2

> /SubProject2

>

> Example :

> Two users : User1 & User2

>

> When the User1 needs write access to /Project2, I have to give him read access at root level too. Otherwise that User1 cannot even get it in to the repository. Since we need to implement strict access levels for the modules in the repository, other groups or users are not supposed to even read other modules.

>

> Here is the Authorization.conf file.

>

> [groups]

> Test1 = User1

> Test2 = User2

>

> [/]

> * = r

>

> [/Project2]

> @Test1 = rw

>

> I looked at mailing lists and archives and found that this was fixed in release 1.3.2 (Issue Id 2486). Am I doing something wrong here, why I am getting same error in 1.6.2? Any help is greatly appreciated.

Do you think this is part of issue #3242:

http://subversion.tigris.org/issues/show_bug.cgi?id=3242

There is a potential fix being developed, but there is not yet an expected release date for this fix.

-Hyrum

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2425851

Please start new threads on the <users_at_subversion.apache.org> mailing list.
To subscribe to the new list, send an empty e-mail to <users-subscribe_at_subversion.apache.org>.
Received on 2009-12-01 13:16:05 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.