subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <Benjamin.Ort...@wellsfargo.com>
Subject RE: On commit attempt, Server sent unexpected return value (403 Forbidden) in response to CHECKOUT
Date Mon, 03 Jan 2011 14:43:45 GMT
The /*/*/*/ in the path is to compensate for the temporary location /!svn/ver/<revision>/.
 This works without the svnauthz file in place.

Is there an internal user that the subversion server utilizes to perform the checkout of the
last-committed-revision of the file prior to the put?  That seems to be what is holding this
up.  It doesn't try to use my username to do this.  That seems to be the case, as my user
should have access to the file, but also to the temporary location.  With the "* =" at the
beginning of the svnauthz file restricting all users, it fails with a 403, but if I give rw
to * it works.  Note in the apache access log that the activities using my id are successful,
but the activities that just have a - where the username would be are unsuccessful, the first
one, of course, triggering a prompt for authentication, but the checkout towards the end just
failing with a 403.

ip_address - - [30/Dec/2010:15:49:58 -0600] "OPTIONS /subversion/repo/folder/structure HTTP/1.1"
401 1337
ip_address - my_username [30/Dec/2010:15:49:59 -0600] "OPTIONS /subversion/repo/folder/structure
HTTP/1.1" 200 -
ip_address - my_username [30/Dec/2010:15:49:59 -0600] "PROPFIND /subversion/repo/folder/structure
HTTP/1.1" 207 816
ip_address - my_username [30/Dec/2010:15:49:59 -0600] "OPTIONS /subversion/repo/folder/structure
HTTP/1.1" 200 195
ip_address - my_username [30/Dec/2010:15:49:59 -0600] "MKACTIVITY /subversion/repo/!svn/act/71f51505-a174-8349-ab61-843f80a40f8f
HTTP/1.1" 201 234
ip_address - my_username [30/Dec/2010:15:49:59 -0600] "PROPFIND /subversion/repo/!svn/vcc/default
HTTP/1.1" 207 414
ip_address - my_username [30/Dec/2010:15:49:59 -0600] "CHECKOUT /subversion/repo/!svn/bln/110
HTTP/1.1" 201 250
ip_address - my_username [30/Dec/2010:15:49:59 -0600] "PROPPATCH /subversion/repo/!svn/wbl/71f51505-a174-8349-ab61-843f80a40f8f/110
HTTP/1.1" 207 469
ip_address - my_username [30/Dec/2010:15:49:59 -0600] "PROPFIND /subversion/repo/folder/structure
HTTP/1.1" 207 526
ip_address - - [30/Dec/2010:15:49:59 -0600] "CHECKOUT /subversion/repo/!svn/ver/110/folder/structure/RestrictedFile
HTTP/1.1" 403 1021
ip_address - my_username [30/Dec/2010:15:49:59 -0600] "DELETE /subversion/repo/!svn/act/71f51505-a174-8349-ab61-843f80a40f8f
HTTP/1.1" 204 -



Benjamin Ortega 
---------------------------------------------- 
Operations Systems Engineer 
Wells Fargo Bank, Des Moines, IA 
CORE Build & Deploy Team
C : Benjamin.Ortega@WellsFargo.com 
  : 515-720-2700 (cell)
MAC: X2301-01X

This transmission may contain information that is confidential and/or proprietary. If you
are not the individual or entity to which it is addressed, note that any review, disclosure,
copying, retransmission, or other use is strictly prohibited. If you received this transmission
in error, please notify the sender immediately and delete the material from your system.


-----Original Message-----
From: Mark Phippard [mailto:markphip@gmail.com] 
Sent: Monday, January 03, 2011 8:33 AM
To: Ortega, Benjamin
Cc: users@subversion.apache.org
Subject: Re: On commit attempt, Server sent unexpected return value (403 Forbidden) in response
to CHECKOUT

On Fri, Dec 31, 2010 at 11:04 AM,  <Benjamin.Ortega@wellsfargo.com> wrote:
> I'm trying to integrate a SVN Authz authorization file with apache
> configuration files to provide a solution for not just directory level
> restrictions, but also file level restrictions. It's my understanding that
> the SVN Authorization file is not capable of handling file-specific
> restrictions, only directory level.

This is not true.  SVN authz manages "paths" and a path can be a
directory or a file.  Of course it has to be the full path to the file
as there is no wild-card support.

> <Location "/subversion/repo/*/*/*/folder/structure/RestrictedFile">
> <Limit PUT>
> Require user my_username
> </Limit>
> </Location>

I am not aware of being able to define rules for paths within a
repository this way.  When the SVN client does the commit it does so
against a temporary path, so you cannot use paths in your repository.
I do believe there are people that have written rules against the
temporary paths and if you did so properly then it might work.

That said, I am also not confident that you can successfully mix the
Subversion authz file with the other Apache require directives.  I
have tried in the past to mix authz with the require-ldap-group
directive and the two just do not mix as these directives become
additive.  Meaning if either directive would allow the user access
then they get access and you do not get the restrictive behavior of
authz that is desired.

-- 
Thanks

Mark Phippard
http://markphip.blogspot.com/

Mime
View raw message