RE: AuthZ file not as expected - work around found - comments welcomed!

[Engebakken Geir <ge...@edb.com>]

I discovered by wading through the source for authz, that it is possible to invert the access rights by placing a ~ in front of a group/user name. Effectively making it possible to do what I want, which is grant rw access to a project to a group, and deny all access to the same project for all other users, at the same time giving read access to the repository root (which obviously is needed  for creating tags), so the content of the access file is like :

[/]
csvn = rw
@admin = rw

[groups]
admin = userx
fts_core = usery

[java:/]
@fts_core = r    # This was needed to be able to tag within fts_core

[java:/fts_core]
@fts_core = rw
~fts_core =                    3 deny access to all other than fts_core



This is not documented in the svnbook, I think, shouldnt it be?



Geir



________________________________
From: Engebakken Geir [mailto:geir.engebakken@edb.com]
Sent: 29. august 2008 14:42
To: users@subversion.tigris.org
Subject: RE: AuthZ file not as expected



I have set up a repository for many projects, and want to restrict both read and write access for each project to a group of people. Easy enough I would belive, but I end up with the users not being able to create tags or branches! They get an error :


    RA layer request failed
svn: Server sent unexpected return value (403 Forbidden) in response to PROPFIND request for '/repos/java'


Now if I give the user (rather the group the user belong to) read access to the repository root, everything works, but this is not what we want since we want to restrict read access to all the other projects! This seems like weird behaviour to me, any explanation?

Here is an abstract of our svn_access_file :

[/]
csvn = rw
@admin = rw

[groups]
admin = userx
fts_core = usery

[java:/]
@fts_core = r    # This was needed to be able to tag within fts_core

[java:/fts_core]
@fts_core = rw


Geir