Return-Path: 
 <users-return-6795-apmail-subversion-users-archive=subversion.apache.org@subversion.apache.org>
Delivered-To: apmail-subversion-users-archive@minotaur.apache.org
Received: (qmail 61940 invoked from network); 4 Jan 2011 20:16:20 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 4 Jan 2011 20:16:20 -0000
Received: (qmail 7330 invoked by uid 500); 4 Jan 2011 20:16:19 -0000
Delivered-To: apmail-subversion-users-archive@subversion.apache.org
Received: (qmail 7307 invoked by uid 500); 4 Jan 2011 20:16:19 -0000
Mailing-List: contact users-help@subversion.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@subversion.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@subversion.apache.org>
List-Post: <mailto:users@subversion.apache.org>
List-Id: <users.subversion.apache.org>
Delivered-To: mailing list users@subversion.apache.org
Received: (qmail 7300 invoked by uid 99); 4 Jan 2011 20:16:19 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 04 Jan 2011 20:16:19 +0000
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=RCVD_IN_DNSWL_NONE,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: local policy)
Received: from [66.111.4.25] (HELO out1.smtp.messagingengine.com)
 (66.111.4.25)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 04 Jan 2011 20:16:12 +0000
Received: from compute3.internal (compute3.nyi.mail.srv.osa [10.202.2.43])
	by gateway1.messagingengine.com (Postfix) with ESMTP id 12FF520E2E;
	Tue,  4 Jan 2011 15:15:52 -0500 (EST)
Received: from frontend2.messagingengine.com ([10.202.2.161])
  by compute3.internal (MEProxy); Tue, 04 Jan 2011 15:15:52 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=messagingengine.com;
 h=date:from:to:cc:subject:message-id:references:mime-version:content-type:in-reply-to;
 s=smtpout; bh=ZZHF00iogGfb85kFB9oRs4qb0aA=;
 b=MfMsBXLVwj1RZqwTG5DRp2eInqG71y6OCKMYWLPc34im3XkFd9YIHABBH0IDP7uMMFgIAb93xr67DyYGxE6AX/22Me4qg7F7YHifnWsYxFM5pc/757qMlfT/ibLCN1F+Og+ecRzqFrVeSDlXXFo17WwqqbX9/nQJYxPvg3Ox1RQ=
X-Sasl-enc: mdt+dinNiJV+mEQmFu9HD1G3JQuhKN6Z5YrcCNksiVzI6q/EQxVJjdm8d56t4g
 1294172151
Received: from daniel3.local (bzq-79-176-37-31.red.bezeqint.net
 [79.176.37.31])
	by mail.messagingengine.com (Postfix) with ESMTPSA id 04B6C445108;
	Tue,  4 Jan 2011 15:15:49 -0500 (EST)
Date: Tue, 4 Jan 2011 22:13:01 +0200
From: Daniel Shahaf <d.s@daniel.shahaf.name>
To: Mark Phippard <markphip@gmail.com>
Cc: Benjamin.Ortega@wellsfargo.com, users@subversion.apache.org
Subject: Re: On commit attempt, Server sent unexpected return value (403
	Forbidden) in response to CHECKOUT
Message-ID: <20110104201301.GB2269@daniel3.local>
References: 
 <95F9275A5D8D1747939A84E03937148F470C3237D1@MSGCMSV21043.ent.wfb.bank.corp>
 <AANLkTimWWy6PMvcZZ8eNiyvbanGOEuZDoRsHsCsLRfFd@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <AANLkTimWWy6PMvcZZ8eNiyvbanGOEuZDoRsHsCsLRfFd@mail.gmail.com>
User-Agent: Mutt/1.5.18 (2008-05-17)
X-Virus-Checked: Checked by ClamAV on apache.org

Mark Phippard wrote on Mon, Jan 03, 2011 at 09:32:49 -0500:
> On Fri, Dec 31, 2010 at 11:04 AM,  <Benjamin.Ortega@wellsfargo.com> wrote:
> > I'm trying to integrate a SVN Authz authorization file with apache
> > configuration files to provide a solution for not just directory level
> > restrictions, but also file level restrictions. It's my understanding that
> > the SVN Authorization file is not capable of handling file-specific
> > restrictions, only directory level.
> 
> This is not true.  SVN authz manages "paths" and a path can be a
> directory or a file.  Of course it has to be the full path to the file
> as there is no wild-card support.
> 
> > <Location "/subversion/repo/*/*/*/folder/structure/RestrictedFile">
> > <Limit PUT>
> > Require user my_username
> > </Limit>
> > </Location>
> 

Did you mean <LocationMatch>?

(which takes a regex, not a glob, IIRC)

> I am not aware of being able to define rules for paths within a
> repository this way.  When the SVN client does the commit it does so
> against a temporary path, so you cannot use paths in your repository.
> I do believe there are people that have written rules against the
> temporary paths and if you did so properly then it might work.
> 
> That said, I am also not confident that you can successfully mix the
> Subversion authz file with the other Apache require directives.  I
> have tried in the past to mix authz with the require-ldap-group
> directive and the two just do not mix as these directives become
> additive.  Meaning if either directive would allow the user access
> then they get access and you do not get the restrictive behavior of
> authz that is desired.
> 
> -- 
> Thanks
> 
> Mark Phippard
> http://markphip.blogspot.com/