Restricting permissions on tags and branches

[Jennifer Kesterson <je...@mail2.jpl.nasa.gov>]

I'm assigned the task of restricting permissions on the tags and branch 
directories.  They are located in the upper-most level of the respository, 
one directory for each.

Since the Subversion isn't a file system, I'm wondering how to access those 
directories to be able to set their permissions.  We are using Subversion 
1.1 on Win32.

Thanks.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: Restricting permissions on tags and branches

[Ben Collins-Sussman <su...@collab.net>]

On Dec 16, 2004, at 1:43 PM, Jennifer Kesterson wrote:

> I'm assigned the task of restricting permissions on the tags and 
> branch directories.  They are located in the upper-most level of the 
> respository, one directory for each.
>
> Since the Subversion isn't a file system, I'm wondering how to access 
> those directories to be able to set their permissions.  We are using 
> Subversion 1.1 on Win32.

Read chapters 5 and 6 in the svnbook.   In particular, read about 
'pre-commit hooks' in chapter 5 and 'mod_authz_svn' in chapter 6.   If 
you're using svnserve as your server, then your only choice is to use a 
pre-commit hook to restrict write access to branches and tags -- 
read-access isn't controllable using hooks.  But if you're using apache 
as your server, then mod_authz_svn can control both read and write 
access on directories.

But the real reason I replied to this easy question (rather than let 
someone else do it):  is NASA really using subversion?  What for??  :-)


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: Restricting permissions on tags and branches

[Ben Collins-Sussman <su...@collab.net>]

Jennifer:  it's best to send these sorts of questions to the users@ 
list, rather than one person.  Instead of getting one response, you're 
like to get a whole bunch of helpful responses.  And the public traffic 
has the side effect of helping other people reading the list with the 
same questions.  So please keep this discussion on the list.  :-)

On Dec 17, 2004, at 9:57 AM, Jennifer Kesterson wrote:

> Ben, please forgive my ignorance.  I'm not a programmer.  When I look 
> at the sample pre-commit hook script, and I see the example inside, it 
> looks easy enough for the average programmer but I wouldn't know what 
> to write, not knowing the language.  I can see that it is calling a 
> commit-access-control.cfg file.  But what is in that file??  I'm at a 
> loss as to what to write and what might go in the files called by 
> these sample hook scripts.

The example "template" hooks are Unix shell scripts.  If you don't know 
Unix or it's built-in scripting, then it's useless to you.  But the 
point is that the hook script can be *any* program at all:  a windows 
batch file, a compiled program (written C++, Java, .NET, whatever), 
perl, python.  It doesn't matter.  Choose whatever language you're 
comfortable with.

The main point of the template is to illustrate that whatever, the hook 
program is, Subversion will pass specific arguments to it when running 
it.  In the case of the hook program named 'pre-commit', the two 
arguments are

    pre-commit /path/to/repository name-of-pending-transaction

Your hook program should read those incoming arguments, and then 
inspect the pending transaction.  If the transaction is good, return 
success.  If not, return failure.  Your hook program can use any number 
of tools to inspect the transcation:  the 'svnlook' program is good for 
this, or you can use libraries (C, perl, python, java) to do the work.

>
>  Is there another source that spells it out, such as Subversion Hook 
> Scripts for Non-Programmers and other Dummies? :-)  I'm ready to hand 
> this back to the whiz-bang programmer who assigned it to me.
>

Honestly -- no offense to you -- you should hand back the task to the 
programmer, or at least this portion of the task.  Subversion was 
designed with the assumption that the administrators responsible for 
deploying the system have some ability to write scripts in *some* 
language.  It's a pretty common assumption for most software like this.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org