You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by Eric Dalquist <er...@doit.wisc.edu> on 2010/03/23 14:39:22 UTC

read-only repository view

We would like to have a version of our SVN repository available 
read-only over HTTP.

I currently have it setup using:
<Location /svn>
         DAV svn
         SVNPath /jasig/svn/jasig

<LimitExcept GET PROPFIND OPTIONS REPORT>
             Require valid-user
</LimitExcept>
</Location>


Which works but I get 500 errors instead of a 401 or 403 like I'd expect:

commit -m "NOJIRA test" 
/home/edalquist/JavaClasses/workspace/PersonDirectory_trunk_RO/README.txt
     RA layer request failed
svn: Commit failed (details follow):
svn: Server sent unexpected return value (500 Internal Server Error) in 
response to MKACTIVITY request for 
'/svn/!svn/act/2348c9db-53b5-4d4b-852a-8cb5d0c4c071'


Is there a better way to have a read-only view of a repository?

-Eric

Re: read-only repository view

Posted by David Weintraub <qa...@gmail.com>.

Do you want people to be able to fetch pages from Subversion over a
web page? Or do you want people to be able to checkout code, but not
be able to check in changes?

If you want your source and all versions accessible over a web
browser, you might want to look at Sventon (which is free), ViewCS, or
a paid package like Fisheye. We use Sventon.

These will give you a read only view of your code, let you examine the
logs, look at previous versions, and do diffs. All visible through a
web browser and all read only.

On Tue, Mar 23, 2010 at 10:39 AM, Eric Dalquist
<er...@doit.wisc.edu> wrote:
> We would like to have a version of our SVN repository available read-only
> over HTTP.
>
> I currently have it setup using:
> <Location /svn>
>        DAV svn
>        SVNPath /jasig/svn/jasig
>
> <LimitExcept GET PROPFIND OPTIONS REPORT>
>            Require valid-user
> </LimitExcept>
> </Location>
>
>
> Which works but I get 500 errors instead of a 401 or 403 like I'd expect:
>
> commit -m "NOJIRA test"
> /home/edalquist/JavaClasses/workspace/PersonDirectory_trunk_RO/README.txt
>    RA layer request failed
> svn: Commit failed (details follow):
> svn: Server sent unexpected return value (500 Internal Server Error) in
> response to MKACTIVITY request for
> '/svn/!svn/act/2348c9db-53b5-4d4b-852a-8cb5d0c4c071'
>
>
> Is there a better way to have a read-only view of a repository?
>
> -Eric
>
>

-- 
David Weintraub
qazwart@gmail.com

Re: read-only repository view

Posted by Eric Dalquist <er...@doit.wisc.edu>.

Thanks for the tip. I switched to this approach which gives us the 401 
we want.

On 03/23/2010 09:44 AM, Rob van Oostrum wrote:
> My guess is it doesn't like that you have the Require without 
> Authentication configured. The way I usually do this is have the 
> anonymous read / authenticated & authorized write construct (see 
> manual), and give the HTTP host its own access file where you set * = 
> r for [/], so authorization for write access will always fail.
>
> R.
>
> On Tue, Mar 23, 2010 at 3:39 PM, Eric Dalquist 
> <eric.dalquist@doit.wisc.edu <ma...@doit.wisc.edu>> wrote:
>
>     We would like to have a version of our SVN repository available
>     read-only over HTTP.
>
>     I currently have it setup using:
>     <Location /svn>
>            DAV svn
>            SVNPath /jasig/svn/jasig
>
>     <LimitExcept GET PROPFIND OPTIONS REPORT>
>                Require valid-user
>     </LimitExcept>
>     </Location>
>
>
>     Which works but I get 500 errors instead of a 401 or 403 like I'd
>     expect:
>
>     commit -m "NOJIRA test"
>     /home/edalquist/JavaClasses/workspace/PersonDirectory_trunk_RO/README.txt
>        RA layer request failed
>     svn: Commit failed (details follow):
>     svn: Server sent unexpected return value (500 Internal Server
>     Error) in response to MKACTIVITY request for
>     '/svn/!svn/act/2348c9db-53b5-4d4b-852a-8cb5d0c4c071'
>
>
>     Is there a better way to have a read-only view of a repository?
>
>     -Eric
>
>

Re: read-only repository view

Posted by Rob van Oostrum <rv...@gmail.com>.

My guess is it doesn't like that you have the Require without Authentication
configured. The way I usually do this is have the anonymous read /
authenticated & authorized write construct (see manual), and give the HTTP
host its own access file where you set * = r for [/], so authorization for
write access will always fail.

R.

On Tue, Mar 23, 2010 at 3:39 PM, Eric Dalquist
<er...@doit.wisc.edu>wrote:

> We would like to have a version of our SVN repository available read-only
> over HTTP.
>
> I currently have it setup using:
> <Location /svn>
>        DAV svn
>        SVNPath /jasig/svn/jasig
>
> <LimitExcept GET PROPFIND OPTIONS REPORT>
>            Require valid-user
> </LimitExcept>
> </Location>
>
>
> Which works but I get 500 errors instead of a 401 or 403 like I'd expect:
>
> commit -m "NOJIRA test"
> /home/edalquist/JavaClasses/workspace/PersonDirectory_trunk_RO/README.txt
>    RA layer request failed
> svn: Commit failed (details follow):
> svn: Server sent unexpected return value (500 Internal Server Error) in
> response to MKACTIVITY request for
> '/svn/!svn/act/2348c9db-53b5-4d4b-852a-8cb5d0c4c071'
>
>
> Is there a better way to have a read-only view of a repository?
>
> -Eric
>
>

Re: read-only repository view

Posted by Eric Dalquist <er...@doit.wisc.edu>.

That was my concern as well and the following did work without prompting 
for a password. I did realize though that we had a path that was not 
supposed to be publicly readable. In playing with how to deal with that 
I found the following works as well. You get 403s for write operations 
and read operations on paths that are not read *. You also never get 
prompted for authentication information.

<Location /svn>
         DAV svn
         SVNPath /jasig/svn/jasig

         AuthzSVNAccessFile /jasig/svn/svn-read-only-authZ
</Location>

The authZ file looks like:

# Grant a global 'read' to all users, including anon.
[/]
* = r

# Restrict 'read/write' on infrastructure to infrastructure group only
[/infrastructure]
* =

On 3/23/10 3:58 PM, Konstantin Kolinko wrote:
> 2010/3/23 Eric Dalquist<er...@doit.wisc.edu>:
>    
>> We would like to have a version of our SVN repository available read-only
>> over HTTP.
>>      
> I have not tried, but I think you can do the following:
>
> ...
> <LimitExcept GET PROPFIND OPTIONS REPORT>
>        Order Deny,Allow
>       Deny from all
> </LimitExcept>
>
>
> If you are providing access both by HTTP and HTTPS it might be a bad
> idea to even ask for credentials on HTTP, because if Basic auth is
> used the credentials are transmitted in plain text.
>
> Probably there are also another ways to limit allowed verbs to the
> above four, e.g. using SetEnvIf. That configuration snippet is just
> what came to mind.
>
> Best regards,
> Konstantin Kolinko
>

Re: read-only repository view

Posted by Konstantin Kolinko <kn...@gmail.com>.

2010/3/23 Eric Dalquist <er...@doit.wisc.edu>:
> We would like to have a version of our SVN repository available read-only
> over HTTP.

I have not tried, but I think you can do the following:

...
<LimitExcept GET PROPFIND OPTIONS REPORT>
     Order Deny,Allow
     Deny from all
</LimitExcept>


If you are providing access both by HTTP and HTTPS it might be a bad
idea to even ask for credentials on HTTP, because if Basic auth is
used the credentials are transmitted in plain text.

Probably there are also another ways to limit allowed verbs to the
above four, e.g. using SetEnvIf. That configuration snippet is just
what came to mind.

Best regards,
Konstantin Kolinko