Re: How to authenticate HTTP users when root dir also has anonymous access?

[David Glasser <gl...@davidglasser.net>]

On 10/29/07, Christian Convey <ch...@gmail.com> wrote:
> I'm running smack into a problem anticipated here:
>
> file:///home/cjc/Desktop/svn-book.html#svn.serverconfig.pathbasedauthz
>
> "In a similar way, if the root of the repository is anonymously
> world-readable, then the entire checkout will be done without
> authentication—again, skipping the unreadable directory, rather than
> asking for authentication partway through."
>
> I'd like to offer two kinds of HTTP-based access to my Subversion
> repository.  I'd like anonymous people to be able to get a read-only
> copy of the repository (but with certain subdirectories not appearing
> at all in the checkout).  I'd like authenticated developers to get
> read-write access (and the ability to see even those hidden
> directories.)
>
> The problem is, if I enable this rule in my access control file:
>
> [my-repos:/]
> @admin = rw
> @developers = rw
> * = r
>
> then Subversion/DAV seem to totally ignore the fact that the user was
> willing and able to provide developers' credentials on the "svn co"
> command line.  I.e.:
>
>  svn co --username cconvey --password mypasswd --no-auth-cache
> http://localhost/svn/my-repos/
>
> Does anyone know how I can accomplish what I'm trying to do?  (It
> would need to work ideally on with svn 1.4.3 and 1.4.4)

One possibility is to provide two different URLs accessing the same
repository, one of which allows anonymous access and the other of
which doesn't; then have your developers just use the latter.

(Note that the right mailing list is dev@subversion.tigris.org, not
svn@, which is the commit mail list.)

--dave


-- 
David Glasser | glasser@davidglasser.net | http://www.davidglasser.net/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: How to authenticate HTTP users when root dir also has anonymous access?

[km...@rockwellcollins.com]

dglasser@gmail.com wrote on 10/29/2007 08:52:11 PM:
> On 10/29/07, Christian Convey <ch...@gmail.com> wrote:
> > ...
> >
> > The problem is, if I enable this rule in my access control file:
> >
> > [my-repos:/]
> > @admin = rw
> > @developers = rw
> > * = r
> >
> > then Subversion/DAV seem to totally ignore the fact that the user was
> > willing and able to provide developers' credentials on the "svn co"
> > command line.  I.e.:
> >
> >  svn co --username cconvey --password mypasswd --no-auth-cache
> > http://localhost/svn/my-repos/
> >
> > Does anyone know how I can accomplish what I'm trying to do?  (It
> > would need to work ideally on with svn 1.4.3 and 1.4.4)
> 
> One possibility is to provide two different URLs accessing the same
> repository, one of which allows anonymous access and the other of
> which doesn't; then have your developers just use the latter.

I propose a "new" special character that means "all authenticated users":
(I use "&" as an example, I have done no investigation if it has other
 meanings in this context)

[repo1:/]
@admin = rw
@developers = rw
& = r

We ran into the same problem because we authenticate with LDAP.  We wanted
everyone in the group to have read-only access, with restrictions farther
down.  We were forced to duplicate our ldap group info in the access 
control
file (300+ usernames).  I realize we could setup cron jobs to sync group 
lists,
but I felt that was too messy, due to the lack of some type of #include 
capability
in the access file format.

Has anyone else wanted some type of include capability in the access file 
as well?
(And yes, I could have created my own input file format, and processed it 
with
 the cron job, but that again feels messy.)

Kevin Radke