On Wed, Oct 13, 2010 at 2:12 PM, Shaun Pinney
<shaun.pinney_at_bil.konicaminolta.us> wrote:
>> Do you need to restrict READ access to the branch or tag, or do you
>> simply want to restrict COMMIT access.
>
> Thanks for the response. We need both, but restricting read access is
> the main concern at the moment. So far, I only know of AuthUserFile
> for controlling read access.
The usual issue is making sure people outside the project are
prevented from reading the code. You might not want people in your
project making changes on tags and branches, but there usually isn't a
security issue if they see the code on the branches and tags.
The only way you can prevent people from reading your code is to setup
httpd configuration. pre-commit hooks can't do this and there's no
pre-checkout hook.
However, changing httpd configuration is tricky since it involves
having root access on the httpd server and being able to at least
bounce the server when the permissions get changed.
But changing a configuration text file inside the Subversion source
repository is much easier to do, and you usually don't have to take
the repository down to make the changes. They can be done on the fly.
That's why most sites use pre-commit hooks to prevent commits and use
httpd configuration to simply keep people outside the project scope
out.
>> By the way, there's also a way to configure Apache httpd to use LDAP
>> instead of a regular text file. This means that users will have access
>> to your Subversion repository based upon their Windows or Unix account
>> and that users will automatically get logins and have their access
>> removed when they get hired or move on.
>
> That's something we'll definitely consider. We have some other quirks
> with account management to sort out first :)
When your development team gets bigger than a dozen people, you start
having people come and go all the time. That makes it difficult to
keep the httpd configuration up to date. It just becomes easier if
this becomes more automated. Or at least someone else's problem when a
new developer doesn't have access to Subversion.
--
David Weintraub
qazwart_at_gmail.com
Received on 2010-10-13 20:49:01 CEST