How to give local scripts unrestricted access to the repos?

[John Thile <gi...@gmail.com>]

Hello folks,

I'm having a problem with what should be a simple task, I think. I've
got a Subversion server using the SSPI authentication against my
domain. That works perfectly and is very cool. Just recently, I've
needed to add a lot more hook scripts. In the past, my scripts have
all operated only on individual transactions. One of my new scripts
actually needs to access the repos itself. It gets a 403 Forbidden
error, because it's not using a domain account.

I decided the best way to solve that would be to allow 127.0.0.1
unrestricted access to the repos, which should, in theory, prevent the
script from getting rejected. Well, that doesn't seem to be the case.
Here is what I've done:

<Location /repos>
*Order deny,allow
*Deny from All
DAV svn
SVNParentPath "F:/svn/"
AuthName "Subversion Authentication"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain SOLEKAI
SSPIOfferBasic On
AuthzSVNAccessFile "C:/Program Files/Subversion/auth.conf"
Require valid-user
*Allow from 127.0.0.1
*Satisfy Any
</Location>

The lines with a star are the lines I added to allow localhost access.
Now, this config doesn't break the domain access: everything works
exactly as it did before, including no localhost access. I'm sure
someone will ask, so yes: I did restart the Apache service.

Here are the log messages from when the script runs and is rejected:

access_log:
gamera.dm.solekai.com - "" [20/Apr/2006:08:02:10 -0700] "PROPFIND
/repos/newtrex HTTP/1.1" 403 335

error_log:
[Thu Apr 20 08:02:10 2006] [error] [client 127.0.0.1] Access denied:
'' PROPFIND newtrex:/

Is there something obvious I'm missing, here?

Thanks,

 -- gilrain

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: How to give local scripts unrestricted access to the repos?

[John Thile <gi...@gmail.com>]

Hehe, a simple and elegant solution! I was trying to do this the hard
way. Thank you for the tip, it works perfectly!

 -- gilrain


On 4/20/06, Ryan Schmidt <su...@ryandesign.com> wrote:
>
> You could have your hook scripts access the repository via the
> file:/// protocol and bypass all the http:// access restrictions
> you've put in place.
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: How to give local scripts unrestricted access to the repos?

[Ryan Schmidt <su...@ryandesign.com>]

On Apr 20, 2006, at 17:19, John Thile wrote:

> I'm having a problem with what should be a simple task, I think. I've
> got a Subversion server using the SSPI authentication against my
> domain. That works perfectly and is very cool. Just recently, I've
> needed to add a lot more hook scripts. In the past, my scripts have
> all operated only on individual transactions. One of my new scripts
> actually needs to access the repos itself. It gets a 403 Forbidden
> error, because it's not using a domain account.
>
> I decided the best way to solve that would be to allow 127.0.0.1
> unrestricted access to the repos, which should, in theory, prevent the
> script from getting rejected. Well, that doesn't seem to be the case.

[snip]

You could have your hook scripts access the repository via the  
file:/// protocol and bypass all the http:// access restrictions  
you've put in place.




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org