subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Hänsel <an...@webkr.de>
Subject Deny read access to a path using authz
Date Mon, 04 Feb 2013 19:08:59 GMT
Hi list,

I am trying to deny a user access to a certain path in an SVN repository.

According to the documentation this is done by setting the username to empty
like this:

  [calc:/branches/calc/bug-142/secret]
  harry =

In
http://grokbase.com/t/subversion/users/1019eey8h0/problem-implementing-path-
based-authorization-with-authz I found this:

  If I remember correctly, you cannot have less than
  global read permissions on the repository's root
  if you're on SVN 1.5 or later.

Maybe this is fixed in 1.7
(http://subversion.tigris.org/issues/show_bug.cgi?id=3242), still I decided
to start with read access for everyone and then to deny access to one path.

This is the configuration of my SVN vhost:

    <VirtualHost *:443>
    
      <Location />
        DAV svn
        SVNParentPath /var/repositories/
        
        AuthType Basic
        AuthName "Repositories"
        AuthUserFile /etc/apache2/passwd/rep
        Require user andre
        
        # Google: svn secure connection truncated
        SVNPathAuthz Off
      </Location>
      
      <Location /test/>
        AuthUserFile /etc/apache2/passwd/rep-test
        Require valid-user
        SVNPathAuthz On
        AuthzSVNAccessFile /etc/apache2/passwd/authz-test
      </Location>
    
    </VirtualHost>

Inside the repository https://svn/test/ there is a directory test2.

This is my current authz-test file, which is unable to stop user "andre"
from accessing the directory "test2" and its content:

    [/]
    * = rw
    
    [/test2]
    andre =
    [/test2/]
    andre =
    [test/test2]
    andre =
    [/test/test2]
    andre =
    [test/test2/]
    andre =
    [/test/test2/]
    andre =
    [test:/test/test2]
    andre =
    [test/:/test2]
    andre =
    [test:/test2/]
    andre =
    [test/:/test2/]
    andre =
    [test:test2]
    andre =
    [test/:test2]
    andre =
    [test:test2/]
    andre =
    [test/:test2/]
    andre =

When I comment the "* = rw" part, access to the repository is immediately
denied, so at least the file isn't being ignored completely. I am using
Subversion 1.7.8.

Regards,
André


Mime
View raw message