RE: Writing on subfolder requires read access on repository root
From: Geir Engebakken <geir.engebakken_at_edb.com>
Date: Tue, 1 Dec 2009 13:14:46 +0100
Strange. I tested this exactly as shown, and it worked as expected
##################################################
[test:/]
[test:/project1]
##################################################
First I set it up like this and tried to create the project1 folder, and was denied with 403 of course. So I modified temporarily and set up :
[test:/]
And got the project1 folder created.
Then removed the w access, like this :
[test:/]
And created a subfolder in project1, no problem.
You don't have something like
[/]
Geir
Thank you for your reply. I tested this scenario and still not working. When I use construct ~ the group that need access to that project are not able to commit anything and getting "server send unexpected return value (403 forbidden) in response to options" error message.
Here is an example.
[test:/]
[test:/project1]
When I give access like this the user in the group dev1 are not able to commit to project1. Can you please test this scenario in your environment.
Srini
________________________________
Well I discovered the same problem. So ended up with a scheme that works, although a bit cumbersome. What we do is give all users readaccess to root, and then give rw access to groups on subdirectories.
Since we also want to deny non-authorized users read access to the projects that they are not members of we use the construct ~, which is used to negate the accesseslist. An abstract of our access file will show this better:
Accesses for the entire repos is like this :
[java:/]
And so for each project we define accesses as following :
[java:/xxx/archive]
~archive= means all users not in archive group are denied access.
Geir
Hi,
Not really. This is issue looks little different from #3242. As I mentioned below looks like it was fixed 1.3.2 (Issue#2486). Am I missing something here. Can anybody help me.
Thanks
-----Original Message-----
On Nov 20, 2009, at 3:48 PM, Srinivas Peddi wrote:
> Hi,
>
> Really need help. We are migrating from CVS to SVN. The problem I encountering is it requiring read access at root level even when the user need write access at sub folder/directory level. So unable to restrict access to other folders/directories.
>
> Here are the details:
> SVN Version : 1.6.2
> Implementation : Apache + SVN and Active directory based authentication. (AuthType sspi and using AuthzSVNAccessFile)
> Environment : Windows 2003 server
>
> /
> /Project1
> /Subproject1
> /Project2
> /SubProject2
>
> Example :
> Two users : User1 & User2
>
> When the User1 needs write access to /Project2, I have to give him read access at root level too. Otherwise that User1 cannot even get it in to the repository. Since we need to implement strict access levels for the modules in the repository, other groups or users are not supposed to even read other modules.
>
> Here is the Authorization.conf file.
>
> [groups]
> Test1 = User1
> Test2 = User2
>
> [/]
> * = r
>
> [/Project2]
> @Test1 = rw
>
> I looked at mailing lists and archives and found that this was fixed in release 1.3.2 (Issue Id 2486). Am I doing something wrong here, why I am getting same error in 1.6.2? Any help is greatly appreciated.
Do you think this is part of issue #3242:
http://subversion.tigris.org/issues/show_bug.cgi?id=3242
There is a potential fix being developed, but there is not yet an expected release date for this fix.
-Hyrum
------------------------------------------------------
Please start new threads on the <users_at_subversion.apache.org> mailing list.
|
This is an archived mail posted to the Subversion Users mailing list.
This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.