[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

SVN Path-based Authentication Q...

From: BRM <bm_witness_at_yahoo.com>
Date: Tue, 3 Jul 2012 07:32:14 -0700 (PDT)

I am administering a server running Apache Httpd with WebDAV serving a Subversion 1.6.6 repository set on an Ubuntu Server 10.04 LTS.

A while back I setup path-based authentication using mod_authz_svn in addition to the AuthUserFile directive for logins.
This has been working quite well; however, I recently needed to change some of the permissions due to a legal requirement that some users not be allowed to access certain paths.

My initial update was just to protect the paths in the AuthzSVNAccessFile:

[myrepo:/path/to/protected/area1/protectedItem]
@no_access_group =

[myrepo:/path/to/protected/area2/protectedItem]
@no_access_group =

All the protected paths have a common directory name that is not to be accessed.

However, I am concerned that this method will only work until a user (any user) copies a path (e.g. /path/to/protected/area2) to another path, and thus 'protectedItem' becomes available at the new path without anyone realizing it. Ideally I would have something like the following instead of having 6 or so copies of the above:

[myrepo:*/protectedItem]
@no_access_group =

I looked over the SVN Redbook information and the Apache2 2.2 documentation but could not find anything to say that was supported, etc.
Is there a way I can do this reliably? Upgrading the software (especially if it gets this functionality) would be relatively easy to do/request.

While I realize a better method would be to dump/filter/reload the repository we don't want to do that quite yet as we have a number of working copies on numerous machines that we do not want to invalidate as a result. I am considering it at some point, but only if absolutely necessary.

TIA,

Ben
Received on 2012-07-03 16:32:54 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.