You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Matthew Boehm <ma...@familytreedna.com> on 2008/04/08 20:42:42 UTC
Path Permission Frustrations
Hello All,
I have a repository, myproject, at /var/svn/myproject/. My
svnserve.conf looks like this:
[general]
password-db = /var/svn/myproject/.svnpasswd
authz-db = /var/svn/myproject/authz
realm = My Project
My authz looks like this:
---------------------------------------------------
[groups]
developers = jtrades, bblack, csmartt, ekreston
admins = jtrades
[/]
* =
[myproject:/trunk]
@developers = rw
@admins = rw
[myproject:/branches]
@developers = r
@admins = rw
[myproject:/branches/RELEASE-1.0]
csmartt =
---------------------------------------------------
What the above attempts to accomplish:
1) deny anon access to everything
2) allow developers and admins rw to trunk
3) allow developers read-only to all branches, admins rw
4) allow developers read-only, admins rw, and deny csmartt to RELEASE-1.0
Here are the issues:
svn co svn://localhost/myproject/trunk mytrunk
Authentication realm: <svn://localhost:3690> myproject
Password for 'csmartt': XXXXX
svn: Not authorized to open root of edit operation
What does that mean? csmartt is part of the developers group and that
group has rw on /trunk so whats this mean?
Same error when csmartt tries to checkout /trunk or any other /branch.
If I alter the [/] to be * = r, then csmartt can now checkout trunk
albeit, anonymously; which we don't want.
csmartt can now also checkout RELEASE-1.0 which we want to deny.
Any ideas? Can someone provide their authz file for learning purposes?
Thanks,
Matthew
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Path Permission Frustrations
Posted by Mark Reibert <sv...@reibert.com>.
Similar issues have been recently discussed. You may wish to browse:
http://subversion.tigris.org/servlets/BrowseList?list=users&by=thread&from=641547
http://subversion.tigris.org/servlets/BrowseList?list=users&by=thread&from=644685
This has also been recently reported on the dev list, see:
http://subversion.tigris.org/servlets/BrowseList?list=dev&by=thread&from=641721
Finally, this also exists as an official issue at:
http://subversion.tigris.org/issues/show_bug.cgi?id=2907
But as the core developers are busy with the upcoming 1.5 release this
appears to be falling under the radar.
On Tue, 2008-04-08 at 15:42 -0500, Matthew Boehm wrote:
> Hello All,
> I have a repository, myproject, at /var/svn/myproject/. My
> svnserve.conf looks like this:
>
> [general]
> password-db = /var/svn/myproject/.svnpasswd
> authz-db = /var/svn/myproject/authz
> realm = My Project
>
> My authz looks like this:
>
> ---------------------------------------------------
> [groups]
> developers = jtrades, bblack, csmartt, ekreston
> admins = jtrades
>
> [/]
> * =
>
> [myproject:/trunk]
> @developers = rw
> @admins = rw
>
> [myproject:/branches]
> @developers = r
> @admins = rw
>
> [myproject:/branches/RELEASE-1.0]
> csmartt =
> ---------------------------------------------------
>
> What the above attempts to accomplish:
> 1) deny anon access to everything
> 2) allow developers and admins rw to trunk
> 3) allow developers read-only to all branches, admins rw
> 4) allow developers read-only, admins rw, and deny csmartt to RELEASE-1.0
>
> Here are the issues:
>
> svn co svn://localhost/myproject/trunk mytrunk
> Authentication realm: <svn://localhost:3690> myproject
> Password for 'csmartt': XXXXX
> svn: Not authorized to open root of edit operation
>
> What does that mean? csmartt is part of the developers group and that
> group has rw on /trunk so whats this mean?
>
> Same error when csmartt tries to checkout /trunk or any other /branch.
>
> If I alter the [/] to be * = r, then csmartt can now checkout trunk
> albeit, anonymously; which we don't want.
>
> csmartt can now also checkout RELEASE-1.0 which we want to deny.
>
> Any ideas? Can someone provide their authz file for learning purposes?
>
> Thanks,
> Matthew
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
--
----------------------
Mark S. Reibert, Ph.D.
svn@reibert.com
----------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org