You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by "Rogers, Donald" <Do...@openpolytechnic.ac.nz> on 2005/07/19 21:14:57 UTC

httpd.conf problem limiting access to lower levels

We have four Subversion repositories on a Windows 2000 server. We are using Apache 2.0.54, Subversion 1.2.1 and LDAP authentication (Active Directory). We want user groups to have different access rights at different levels of each repository.

We tried this type of set up in httpd.conf:
...
<Location /subversion/xml_dev>
  AuthName "First level"
  <Limit GET PROPFIND PUT POST DELETE PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
    require group CN=Subversion Administrator,OU=Svn Groups,DC=topnz,DC=ac,DC=nz
  </Limit>
  <Limit GET PROPFIND>
    require group CN=Subversion Editors,OU=Svn Groups,DC=topnz,DC=ac,DC=nz
  </Limit>
</Location>

<Location /subversion/xml_dev/*/*>
  AuthName "Third level"
  <Limit GET PROPFIND PUT POST DELETE PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
    require group CN=Subversion Administrator,OU=Svn Groups,DC=topnz,DC=ac,DC=nz
    require group CN=Subversion Editors,OU=Svn Groups,DC=topnz,DC=ac,DC=nz
  </Limit>
</Location>
...

The "First level" element works okay, but the "Third level" element does not work, i.e. users cannot commit to the repository. Does it not cope with the asterisk notation(/subversion/xml_dev/*/* )? There are about 30 folders in the second level and lots more in the third level, so we don't want to have to specify them all individually. Is there some way to do this?

Donald Rogers


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: httpd.conf problem limiting access to lower levels

Posted by Ben Collins-Sussman <su...@collab.net>.

On Jul 19, 2005, at 4:14 PM, Rogers, Donald wrote:

>   <Limit GET PROPFIND PUT POST DELETE PROPPATCH MKCOL COPY MOVE  
> LOCK UNLOCK>

>  but the "Third level" element does not work, i.e. users cannot  
> commit to the repository.

Are you trying to enumerate every single http method that 'svn' might  
send?  Because that's certainly not a complete list.  It leaves out  
the two most critical methods that svn sends at the beginning and end  
of a commit:  MKACTIVITY and MERGE.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: httpd.conf problem limiting access to lower levels

Posted by Adam <te...@yahoo.com>.

http://svnbook.red-bean.com/en/1.1/ch06s04.html#svn-ch-6-sect-4.4.2

--- "Rogers, Donald"
<Do...@openpolytechnic.ac.nz> wrote:

> We have four Subversion repositories on a Windows
> 2000 server. We are using Apache 2.0.54, Subversion
> 1.2.1 and LDAP authentication (Active Directory). We
> want user groups to have different access rights at
> different levels of each repository.
> 
> We tried this type of set up in httpd.conf:
> ...
> <Location /subversion/xml_dev>
>   AuthName "First level"
>   <Limit GET PROPFIND PUT POST DELETE PROPPATCH
> MKCOL COPY MOVE LOCK UNLOCK>
>     require group CN=Subversion Administrator,OU=Svn
> Groups,DC=topnz,DC=ac,DC=nz
>   </Limit>
>   <Limit GET PROPFIND>
>     require group CN=Subversion Editors,OU=Svn
> Groups,DC=topnz,DC=ac,DC=nz
>   </Limit>
> </Location>
> 
> <Location /subversion/xml_dev/*/*>
>   AuthName "Third level"
>   <Limit GET PROPFIND PUT POST DELETE PROPPATCH
> MKCOL COPY MOVE LOCK UNLOCK>
>     require group CN=Subversion Administrator,OU=Svn
> Groups,DC=topnz,DC=ac,DC=nz
>     require group CN=Subversion Editors,OU=Svn
> Groups,DC=topnz,DC=ac,DC=nz
>   </Limit>
> </Location>
> ...
> 
> The "First level" element works okay, but the "Third
> level" element does not work, i.e. users cannot
> commit to the repository. Does it not cope with the
> asterisk notation(/subversion/xml_dev/*/* )? There
> are about 30 folders in the second level and lots
> more in the third level, so we don't want to have to
> specify them all individually. Is there some way to
> do this?
> 
> Donald Rogers
> 
> 
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail:
> users-help@subversion.tigris.org
> 
> 


===== START SIGNATURE =====
Kites rise highest against the wind -- not with it.
-- Winston Churchill

It is better to be hated for what you are than loved for what you are not.
- Andre Gide

If you always do what you've always done you'll always be where you've always been.
-- Bill Purvis;
http://www.cascadehills.com/events/sermons.asp

Blog: http://blogs.whyaskwhy.org/deoren/
===== END SIGNATURE =====


		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - Find what you need with new enhanced search. 
http://info.mail.yahoo.com/mail_250

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org