You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Jon Sabo <jo...@gmail.com> on 2008/07/08 17:32:22 UTC
unexpected svn httpd acl behavior
I have a group of users I give read write access to an entire
repository and another group I give read write access to the entire
repository but I deny access to a directory further along inside of
trunk. When they check out trunk, the directory they are not allowed
access is silently omitted and they check out all of trunk minus that
dir. That is what I expected and hoped would happen.
However, when attempting to copy trunk to a branch they get access
denied and it does not allow them to create the branch.
They are allowed to write to the branch and I have as one of the
limited users created files and directories inside of config:/branch
but I can not copy from trunk to branch.
When I do so I see the following in my apache ssl logs:
Access denied: 'bob' COPY config:/trunk config:/branches/bob-uho-1.9
When I check out a working copy of trunk as "bob" to my workstation
which works fine as the limited user it just omits the mydir
directory. When I try to copy it from the working copy to the branch
and fails with these errors.
Command from inside the working copy:
svn copy . https://myhost/repos/config/branches/bob-uho-1.9
Fails with this error:
"svn-commit.tmp" 4L, 147C written
svn: Commit failed (details follow):
svn: Directory '/home/illsci/Src/config/install/mydir' is missing
svn: Your commit message was left in a temporary file:
I have an apache svn setup and the following is my configuration:
[groups]
boh = illsci
doh_rw = bob
[config:/]
@boh = rw
@doh_rw = rw
# DISABLE ACCESS TO MYDIR
[config:/trunk/install/mydir]
@boh = rw
* =
<Location /repos>
DAV svn
SVNParentPath /app/svn
AuthType Basic
AuthName "Repos"
AuthUserFile /etc/httpd/conf.d/svnusers
# Acess control policy
AuthzSVNAccessFile /etc/httpd/conf.d/svnaclpolicy
# Require SSL connection for password protection.
SSLRequireSSL
Require valid-user
</Location>
Is this expected?
How can I limit users from accessing a part of trunk but still allow
them to branch it or is that just not going to go my way?
Thanks,
Jonathan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: unexpected svn httpd acl behavior
Posted by John Peacock <jo...@havurah-software.org>.
Jon Sabo wrote:
> How can I limit users from accessing a part of trunk but still allow
> them to branch it or is that just not going to go my way?
This just came up recently. The short answer is that in order to make a
branch/tag, you must have rights to all folders beneath the source. The
reason for this is that if it were otherwise, you would have
inconsistencies:
1) if you allowed the unprivileged user to make a branch with missing
paths (like what happens when she just checks out the folder), then
tags/branches made by accounts *with* rights to those folders would be
different than those copies made by unprivileged users.
2) if you allowed unprivileged to make a copy including the originally
forbidden directory, those files would now be visible to all (since the
Subversion security model is strictly path based).
You are much better off taking the protected paths out of the main trunk
folder altogether and make them a peer of trunk instead of a child of
trunk. That way, your unprivileged can make tags/branches without
problem and your privileged are the only ones who can see those files.
John
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org