You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by Matthew Boehm <ma...@familytreedna.com> on 2008/04/08 20:42:42 UTC

Path Permission Frustrations

Hello All,
  I have a repository, myproject, at /var/svn/myproject/. My 
svnserve.conf looks like this:

[general]
password-db = /var/svn/myproject/.svnpasswd
authz-db = /var/svn/myproject/authz
realm = My Project

My authz looks like this:

---------------------------------------------------
[groups]
developers = jtrades, bblack, csmartt, ekreston
admins = jtrades

[/]
* =

[myproject:/trunk]
@developers = rw
@admins = rw

[myproject:/branches]
@developers = r
@admins = rw

[myproject:/branches/RELEASE-1.0]
csmartt =
---------------------------------------------------

What the above attempts to accomplish:
  1) deny anon access to everything
  2) allow developers and admins rw to trunk
  3) allow developers read-only to all branches, admins rw
  4) allow developers read-only, admins rw, and deny csmartt to RELEASE-1.0

Here are the issues:

svn co svn://localhost/myproject/trunk mytrunk
Authentication realm: <svn://localhost:3690> myproject
Password for 'csmartt': XXXXX
svn: Not authorized to open root of edit operation

What does that mean? csmartt is part of the developers group and that 
group has rw on /trunk so whats this mean?

Same error when csmartt tries to checkout /trunk or any other /branch.

If I alter the [/] to be * = r, then csmartt can now checkout trunk 
albeit, anonymously; which we don't want.

csmartt can now also checkout RELEASE-1.0 which we want to deny.

Any ideas? Can someone provide their authz file for learning purposes?

Thanks,
Matthew

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: Path Permission Frustrations

Posted by Mark Reibert <sv...@reibert.com>.

Similar issues have been recently discussed. You may wish to browse:

http://subversion.tigris.org/servlets/BrowseList?list=users&by=thread&from=641547
http://subversion.tigris.org/servlets/BrowseList?list=users&by=thread&from=644685

This has also been recently reported on the dev list, see:

http://subversion.tigris.org/servlets/BrowseList?list=dev&by=thread&from=641721

Finally, this also exists as an official issue at:

http://subversion.tigris.org/issues/show_bug.cgi?id=2907

But as the core developers are busy with the upcoming 1.5 release this
appears to be falling under the radar.

On Tue, 2008-04-08 at 15:42 -0500, Matthew Boehm wrote:
> Hello All,
>   I have a repository, myproject, at /var/svn/myproject/. My 
> svnserve.conf looks like this:
> 
> [general]
> password-db = /var/svn/myproject/.svnpasswd
> authz-db = /var/svn/myproject/authz
> realm = My Project
> 
> My authz looks like this:
> 
> ---------------------------------------------------
> [groups]
> developers = jtrades, bblack, csmartt, ekreston
> admins = jtrades
> 
> [/]
> * =
> 
> [myproject:/trunk]
> @developers = rw
> @admins = rw
> 
> [myproject:/branches]
> @developers = r
> @admins = rw
> 
> [myproject:/branches/RELEASE-1.0]
> csmartt =
> ---------------------------------------------------
> 
> What the above attempts to accomplish:
>   1) deny anon access to everything
>   2) allow developers and admins rw to trunk
>   3) allow developers read-only to all branches, admins rw
>   4) allow developers read-only, admins rw, and deny csmartt to RELEASE-1.0
> 
> Here are the issues:
> 
> svn co svn://localhost/myproject/trunk mytrunk
> Authentication realm: <svn://localhost:3690> myproject
> Password for 'csmartt': XXXXX
> svn: Not authorized to open root of edit operation
> 
> What does that mean? csmartt is part of the developers group and that 
> group has rw on /trunk so whats this mean?
> 
> Same error when csmartt tries to checkout /trunk or any other /branch.
> 
> If I alter the [/] to be * = r, then csmartt can now checkout trunk 
> albeit, anonymously; which we don't want.
> 
> csmartt can now also checkout RELEASE-1.0 which we want to deny.
> 
> Any ideas? Can someone provide their authz file for learning purposes?
> 
> Thanks,
> Matthew
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
> 

-- 
----------------------
Mark S. Reibert, Ph.D.
svn@reibert.com
----------------------


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org