Limited subdirectory access

[K F <cm...@yahoo.com>]

We have repo ABC with 40+ subdirectories. Current svn security allows developers rw permissions and qa read only to ABC. We would like to have a subgroup of dev to have access to subdirectory DEF (ABC/DEF). Is there a way of doing this, or does the parent directory access take precedent?

Thanks,
Rich

RE: Limited subdirectory access

[Bob Archer <Bo...@amsi.com>]

> --- On Tue, 1/31/12, Bob Archer <Bo...@amsi.com> wrote:
> 
> > From: Bob Archer <Bo...@amsi.com>
> > Subject: RE: Limited subdirectory access
> > To: "K F" <cm...@yahoo.com>, "users@subversion.apache.org"
> > <us...@subversion.apache.org>, "Thorsten Schöning"
> > <ts...@am-soft.de>
> > Date: Tuesday, January 31, 2012, 3:24 PM
> > > I tried your suggestion of
> > >
> > > [/]
> > > *=r
> > >
> > > and I can still commit. So does that point to an error
> > in svnserve.conf?
> > >
> >
> > Yes, something is not configured properly. You are using the svn://
> > protocol to access your repository?
> >
> > BOb
> >
> >
> > > --- On Tue, 1/31/12, Bob Archer <Bo...@amsi.com>
> > wrote:
> > >
> > > > From: Bob Archer <Bo...@amsi.com>
> > > > Subject: RE: Limited subdirectory access
> > > > To: "K F" <cm...@yahoo.com>,
> > "users@subversion.apache.org"
> > > > <us...@subversion.apache.org>,
> > "Thorsten Schöning"
> > > > <ts...@am-soft.de>
> > > > Date: Tuesday, January 31, 2012, 2:46 PM
> > > > > I had already tried
> > > > >
> > > > > [/DEF]
> > > > > @dev = r
> > > > > @dev1 = rw
> > > > >
> > > > > and that did not work.
> > > >
> > > > Did you step back further. 1st, svn is case
> > sensitive, so is the path
> > > > in question actually all upper case?
> > > >
> > > > Even further back than that... did you try to just
> > give all users read
> > > > only access to root to ensure your path auth is
> > working at all?
> > > > Something like:
> > > >
> > > > [/]
> > > > *=r
> > > >
> > > > Maybe even turn of anon access to ensure your
> > authentication is
> > > > working as well.
> > > >
> > > > Add stuff one step at a time.
> > > >
> > > > BOb
> > > >
> > > >
> 
> If I understand the question, yes. For the dir in question it is
> 
> svn://subversion/svnrepo/sandbox/DEF

Ok... so you are using svnserve. For some reason your auth file isn't being read. What does your config file look like? 

BOb

Re: Limited subdirectory access

[Daniel Shahaf <d....@daniel.shahaf.name>]

Bob Archer wrote on Tue, Jan 31, 2012 at 10:50:45 -0500:
> Are you restarting svnserver after you make config/auth file changes?
> Previous emails you talked about restarting apache.. but if you use
> the svn:// protocol you are NOT using Apache.

Last I checked it wasn't necessary to restart svnserve to effect config
file changes.

(I don't recall whether that applies both to the config file and to
referenced files such as the authz file.)

RE: Limited subdirectory access

[Bob Archer <Bo...@amsi.com>]

> --- On Tue, 1/31/12, Bob Archer <Bo...@amsi.com> wrote:
> 
> > From: Bob Archer <Bo...@amsi.com>
> > Subject: RE: Limited subdirectory access
> > To: "K F" <cm...@yahoo.com>, "users@subversion.apache.org"
> > <us...@subversion.apache.org>, "Thorsten Schöning"
> > <ts...@am-soft.de>
> > Date: Tuesday, January 31, 2012, 3:24 PM
> > > I tried your suggestion of
> > >
> > > [/]
> > > *=r
> > >
> > > and I can still commit. So does that point to an error
> > in svnserve.conf?
> > >
> >
> > Yes, something is not configured properly. You are using the svn://
> > protocol to access your repository?
> >
> > BOb
> >
> >
> > > --- On Tue, 1/31/12, Bob Archer <Bo...@amsi.com>
> > wrote:
> > >
> > > > From: Bob Archer <Bo...@amsi.com>
> > > > Subject: RE: Limited subdirectory access
> > > > To: "K F" <cm...@yahoo.com>,
> > "users@subversion.apache.org"
> > > > <us...@subversion.apache.org>,
> > "Thorsten Schöning"
> > > > <ts...@am-soft.de>
> > > > Date: Tuesday, January 31, 2012, 2:46 PM
> > > > > I had already tried
> > > > >
> > > > > [/DEF]
> > > > > @dev = r
> > > > > @dev1 = rw
> > > > >
> > > > > and that did not work.
> > > >
> > > > Did you step back further. 1st, svn is case
> > sensitive, so is the path
> > > > in question actually all upper case?
> > > >
> > > > Even further back than that... did you try to just
> > give all users read
> > > > only access to root to ensure your path auth is
> > working at all?
> > > > Something like:
> > > >
> > > > [/]
> > > > *=r
> > > >
> > > > Maybe even turn of anon access to ensure your
> > authentication is
> > > > working as well.
> > > >
> > > > Add stuff one step at a time.
> > > >
> > > > BOb
> > > >
> > > >
> 
> If I understand the question, yes. For the dir in question it is
> 
> svn://subversion/svnrepo/sandbox/DEF

Are you restarting svnserver after you make config/auth file changes? Previous emails you talked about restarting apache.. but if you use the svn:// protocol you are NOT using Apache.

BOb

RE: Limited subdirectory access

[K F <cm...@yahoo.com>]

--- On Tue, 1/31/12, K F <cm...@yahoo.com> wrote:

> From: K F <cm...@yahoo.com>
> Subject: RE: Limited subdirectory access
> To: "users@subversion.apache.org" <us...@subversion.apache.org>, "Thorsten Schöning" <ts...@am-soft.de>, "Bob Archer" <Bo...@amsi.com>
> Date: Tuesday, January 31, 2012, 3:29 PM
> 
> 
> --- On Tue, 1/31/12, Bob Archer <Bo...@amsi.com>
> wrote:
> 
> > From: Bob Archer <Bo...@amsi.com>
> > Subject: RE: Limited subdirectory access
> > To: "K F" <cm...@yahoo.com>,
> "users@subversion.apache.org"
> <us...@subversion.apache.org>,
> "Thorsten Schöning" <ts...@am-soft.de>
> > Date: Tuesday, January 31, 2012, 3:24 PM
> > > I tried your suggestion of
> > > 
> > > [/]
> > > *=r
> > > 
> > > and I can still commit. So does that point to an
> error
> > in svnserve.conf?
> > > 
> > 
> > Yes, something is not configured properly. You are
> using the
> > svn:// protocol to access your repository?
> > 
> > BOb
> > 
> > 
> > > --- On Tue, 1/31/12, Bob Archer <Bo...@amsi.com>
> > wrote:
> > > 
> > > > From: Bob Archer <Bo...@amsi.com>
> > > > Subject: RE: Limited subdirectory access
> > > > To: "K F" <cm...@yahoo.com>,
> > "users@subversion.apache.org"
> > > > <us...@subversion.apache.org>,
> > "Thorsten Schöning"
> > > > <ts...@am-soft.de>
> > > > Date: Tuesday, January 31, 2012, 2:46 PM
> > > > > I had already tried
> > > > >
> > > > > [/DEF]
> > > > > @dev = r
> > > > > @dev1 = rw
> > > > >
> > > > > and that did not work.
> > > >
> > > > Did you step back further. 1st, svn is case
> > sensitive, so is the path
> > > > in question actually all upper case?
> > > >
> > > > Even further back than that... did you try to
> just
> > give all users read
> > > > only access to root to ensure your path auth
> is
> > working at all?
> > > > Something like:
> > > >
> > > > [/]
> > > > *=r
> > > >
> > > > Maybe even turn of anon access to ensure
> your
> > authentication is
> > > > working as well.
> > > >
> > > > Add stuff one step at a time.
> > > >
> > > > BOb
> > > >
> > > >
> 
> If I understand the question, yes. For the dir in question
> it is
> 
> svn://subversion/svnrepo/sandbox/DEF
> 
I discovered what MY issue was. In the svnserve.conf file there were duplicate entries for 

anon-access = 
auth-access = 

Once I removed the duplicate entries and just had 

anon-access = none
auth-access = write

it started working as it should have. Thank you all for your patience and help. The whole thing was a learning process for me.

Rich

RE: Limited subdirectory access

[K F <cm...@yahoo.com>]

--- On Tue, 1/31/12, Bob Archer <Bo...@amsi.com> wrote:

> From: Bob Archer <Bo...@amsi.com>
> Subject: RE: Limited subdirectory access
> To: "K F" <cm...@yahoo.com>, "users@subversion.apache.org" <us...@subversion.apache.org>, "Thorsten Schöning" <ts...@am-soft.de>
> Date: Tuesday, January 31, 2012, 3:24 PM
> > I tried your suggestion of
> > 
> > [/]
> > *=r
> > 
> > and I can still commit. So does that point to an error
> in svnserve.conf?
> > 
> 
> Yes, something is not configured properly. You are using the
> svn:// protocol to access your repository?
> 
> BOb
> 
> 
> > --- On Tue, 1/31/12, Bob Archer <Bo...@amsi.com>
> wrote:
> > 
> > > From: Bob Archer <Bo...@amsi.com>
> > > Subject: RE: Limited subdirectory access
> > > To: "K F" <cm...@yahoo.com>,
> "users@subversion.apache.org"
> > > <us...@subversion.apache.org>,
> "Thorsten Schöning"
> > > <ts...@am-soft.de>
> > > Date: Tuesday, January 31, 2012, 2:46 PM
> > > > I had already tried
> > > >
> > > > [/DEF]
> > > > @dev = r
> > > > @dev1 = rw
> > > >
> > > > and that did not work.
> > >
> > > Did you step back further. 1st, svn is case
> sensitive, so is the path
> > > in question actually all upper case?
> > >
> > > Even further back than that... did you try to just
> give all users read
> > > only access to root to ensure your path auth is
> working at all?
> > > Something like:
> > >
> > > [/]
> > > *=r
> > >
> > > Maybe even turn of anon access to ensure your
> authentication is
> > > working as well.
> > >
> > > Add stuff one step at a time.
> > >
> > > BOb
> > >
> > >

If I understand the question, yes. For the dir in question it is

svn://subversion/svnrepo/sandbox/DEF

RE: Limited subdirectory access

[Bob Archer <Bo...@amsi.com>]

> I tried your suggestion of
> 
> [/]
> *=r
> 
> and I can still commit. So does that point to an error in svnserve.conf?
> 

Yes, something is not configured properly. You are using the svn:// protocol to access your repository?

BOb


> --- On Tue, 1/31/12, Bob Archer <Bo...@amsi.com> wrote:
> 
> > From: Bob Archer <Bo...@amsi.com>
> > Subject: RE: Limited subdirectory access
> > To: "K F" <cm...@yahoo.com>, "users@subversion.apache.org"
> > <us...@subversion.apache.org>, "Thorsten Schöning"
> > <ts...@am-soft.de>
> > Date: Tuesday, January 31, 2012, 2:46 PM
> > > I had already tried
> > >
> > > [/DEF]
> > > @dev = r
> > > @dev1 = rw
> > >
> > > and that did not work.
> >
> > Did you step back further. 1st, svn is case sensitive, so is the path
> > in question actually all upper case?
> >
> > Even further back than that... did you try to just give all users read
> > only access to root to ensure your path auth is working at all?
> > Something like:
> >
> > [/]
> > *=r
> >
> > Maybe even turn of anon access to ensure your authentication is
> > working as well.
> >
> > Add stuff one step at a time.
> >
> > BOb
> >
> >
> > >
> > > --- On Tue, 1/31/12, Thorsten Schöning <ts...@am-soft.de>
> > wrote:
> > >
> > > > From: Thorsten Schöning <ts...@am-soft.de>
> > > > Subject: Re: Limited subdirectory access
> > > > To: users@subversion.apache.org
> > > > Date: Tuesday, January 31, 2012, 8:04 AM Guten Tag
> > K F, am Montag, 30.
> > > > Januar 2012 um 23:20 schrieben Sie:
> > > >
> > > > > [ABC:/DEF]
> > > > > @dev = r
> > > > > @dev1 = rw
> > > >
> > > > > Do I need the ABC in the front?
> > > >
> > > > If it's just one repository your configuring your
> > authz file for,your
> > > > shouldn't need to specify ABC, so try without. If
> > this doesn't work,
> > > > you really should provide the whole authz file
> > with access rules for
> > > > all paths, groups, members and describe with which
> > user you login and
> > > > can commit to which folder.
> > > >
> > > > Mit freundlichen Grüßen,
> > > >
> > > > Thorsten Schöning
> > > >
> > > > --
> > > > Thorsten Schöning       E-Mail:Thorsten.Schoening@AM-SoFT.de
> > > > AM-SoFT IT-Systeme      http://www.AM-SoFT.de/
> > > >
> > > > Telefon.............030-2 1001-310
> > > > Fax...............05151-  9468- 88
> > > > Mobil..............0178-8 9468- 04
> > > >
> > > > AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c,
> > 31789 Hameln AG
> > > > Hanover HRB 207 694 - Geschäftsführer: Andreas
> > Muchow
> > > >
> > > >
> >

RE: Limited subdirectory access

[K F <cm...@yahoo.com>]

I tried your suggestion of 

[/]
*=r

and I can still commit. So does that point to an error in svnserve.conf?

--- On Tue, 1/31/12, Bob Archer <Bo...@amsi.com> wrote:

> From: Bob Archer <Bo...@amsi.com>
> Subject: RE: Limited subdirectory access
> To: "K F" <cm...@yahoo.com>, "users@subversion.apache.org" <us...@subversion.apache.org>, "Thorsten Schöning" <ts...@am-soft.de>
> Date: Tuesday, January 31, 2012, 2:46 PM
> > I had already tried
> > 
> > [/DEF]
> > @dev = r
> > @dev1 = rw
> > 
> > and that did not work.
> 
> Did you step back further. 1st, svn is case sensitive, so is
> the path in question actually all upper case?
> 
> Even further back than that... did you try to just give all
> users read only access to root to ensure your path auth is
> working at all? Something like:
> 
> [/]
> *=r
> 
> Maybe even turn of anon access to ensure your authentication
> is working as well. 
> 
> Add stuff one step at a time.
> 
> BOb
> 
> 
> > 
> > --- On Tue, 1/31/12, Thorsten Schöning <ts...@am-soft.de>
> wrote:
> > 
> > > From: Thorsten Schöning <ts...@am-soft.de>
> > > Subject: Re: Limited subdirectory access
> > > To: users@subversion.apache.org
> > > Date: Tuesday, January 31, 2012, 8:04 AM Guten Tag
> K F, am Montag, 30.
> > > Januar 2012 um 23:20 schrieben Sie:
> > >
> > > > [ABC:/DEF]
> > > > @dev = r
> > > > @dev1 = rw
> > >
> > > > Do I need the ABC in the front?
> > >
> > > If it's just one repository your configuring your
> authz file for,your
> > > shouldn't need to specify ABC, so try without. If
> this doesn't work,
> > > you really should provide the whole authz file
> with access rules for
> > > all paths, groups, members and describe with which
> user you login and
> > > can commit to which folder.
> > >
> > > Mit freundlichen Grüßen,
> > >
> > > Thorsten Schöning
> > >
> > > --
> > > Thorsten Schöning       E-Mail:Thorsten.Schoening@AM-SoFT.de
> > > AM-SoFT IT-Systeme      http://www.AM-SoFT.de/
> > >
> > > Telefon.............030-2 1001-310
> > > Fax...............05151-  9468- 88
> > > Mobil..............0178-8 9468- 04
> > >
> > > AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c,
> 31789 Hameln AG
> > > Hanover HRB 207 694 - Geschäftsführer: Andreas
> Muchow
> > >
> > >
> 

RE: Limited subdirectory access

[Bob Archer <Bo...@amsi.com>]

> I had already tried
> 
> [/DEF]
> @dev = r
> @dev1 = rw
> 
> and that did not work.

Did you step back further. 1st, svn is case sensitive, so is the path in question actually all upper case?

Even further back than that... did you try to just give all users read only access to root to ensure your path auth is working at all? Something like:

[/]
*=r

Maybe even turn of anon access to ensure your authentication is working as well. 

Add stuff one step at a time.

BOb


> 
> --- On Tue, 1/31/12, Thorsten Schöning <ts...@am-soft.de> wrote:
> 
> > From: Thorsten Schöning <ts...@am-soft.de>
> > Subject: Re: Limited subdirectory access
> > To: users@subversion.apache.org
> > Date: Tuesday, January 31, 2012, 8:04 AM Guten Tag K F, am Montag, 30.
> > Januar 2012 um 23:20 schrieben Sie:
> >
> > > [ABC:/DEF]
> > > @dev = r
> > > @dev1 = rw
> >
> > > Do I need the ABC in the front?
> >
> > If it's just one repository your configuring your authz file for,your
> > shouldn't need to specify ABC, so try without. If this doesn't work,
> > you really should provide the whole authz file with access rules for
> > all paths, groups, members and describe with which user you login and
> > can commit to which folder.
> >
> > Mit freundlichen Grüßen,
> >
> > Thorsten Schöning
> >
> > --
> > Thorsten Schöning       E-Mail:Thorsten.Schoening@AM-SoFT.de
> > AM-SoFT IT-Systeme      http://www.AM-SoFT.de/
> >
> > Telefon.............030-2 1001-310
> > Fax...............05151-  9468- 88
> > Mobil..............0178-8 9468- 04
> >
> > AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln AG
> > Hanover HRB 207 694 - Geschäftsführer: Andreas Muchow
> >
> >

Re: Limited subdirectory access

[K F <cm...@yahoo.com>]

I had already tried

[/DEF]
@dev = r
@dev1 = rw

and that did not work.

--- On Tue, 1/31/12, Thorsten Schöning <ts...@am-soft.de> wrote:

> From: Thorsten Schöning <ts...@am-soft.de>
> Subject: Re: Limited subdirectory access
> To: users@subversion.apache.org
> Date: Tuesday, January 31, 2012, 8:04 AM
> Guten Tag K F,
> am Montag, 30. Januar 2012 um 23:20 schrieben Sie:
> 
> > [ABC:/DEF]
> > @dev = r
> > @dev1 = rw
> 
> > Do I need the ABC in the front?
> 
> If it's just one repository your configuring your authz file
> for,your
> shouldn't need to specify ABC, so try without. If this
> doesn't work,
> you really should provide the whole authz file with access
> rules for
> all paths, groups, members and describe with which user you
> login and
> can commit to which folder.
> 
> Mit freundlichen Grüßen,
> 
> Thorsten Schöning
> 
> -- 
> Thorsten Schöning       E-Mail:Thorsten.Schoening@AM-SoFT.de
> AM-SoFT IT-Systeme      http://www.AM-SoFT.de/
> 
> Telefon.............030-2 1001-310
> Fax...............05151-  9468- 88
> Mobil..............0178-8 9468- 04
> 
> AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789
> Hameln
> AG Hanover HRB 207 694 - Geschäftsführer: Andreas Muchow
> 
> 

Re: Limited subdirectory access

[Thorsten Schöning <ts...@am-soft.de>]

Guten Tag K F,
am Montag, 30. Januar 2012 um 23:20 schrieben Sie:

> [ABC:/DEF]
> @dev = r
> @dev1 = rw

> Do I need the ABC in the front?

If it's just one repository your configuring your authz file for,your
shouldn't need to specify ABC, so try without. If this doesn't work,
you really should provide the whole authz file with access rules for
all paths, groups, members and describe with which user you login and
can commit to which folder.

Mit freundlichen Grüßen,

Thorsten Schöning

-- 
Thorsten Schöning       E-Mail:Thorsten.Schoening@AM-SoFT.de
AM-SoFT IT-Systeme      http://www.AM-SoFT.de/

Telefon.............030-2 1001-310
Fax...............05151-  9468- 88
Mobil..............0178-8 9468- 04

AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln
AG Hanover HRB 207 694 - Geschäftsführer: Andreas Muchow

Re: Limited subdirectory access

[Daniel Shahaf <d....@daniel.shahaf.name>]

Johan Corveleyn wrote on Mon, Jan 30, 2012 at 23:13:17 +0100:
> Can you check if order of the rules matters? Either putting this rule
> with [ABC:/DEF] before or after the other one (for [ABC:/]). I'm not
> sure, but I vaguely remember some prior discussion about this ...

Aren't they parsed into a hash?

Anyway: [foo:/bar] has priority over [/bar].

Re: Limited subdirectory access

[K F <cm...@yahoo.com>]

--- On Mon, 1/30/12, Johan Corveleyn <jc...@gmail.com> wrote:

> From: Johan Corveleyn <jc...@gmail.com>
> Subject: Re: Limited subdirectory access
> To: "K F" <cm...@yahoo.com>
> Cc: "Stefan Sperling" <st...@elego.de>, "Andy Levy" <an...@gmail.com>, users@subversion.apache.org
> Date: Monday, January 30, 2012, 10:13 PM
> On Mon, Jan 30, 2012 at 10:55 PM, K F
> <cm...@yahoo.com>
> wrote:
> >
> >
> > --- On Mon, 1/30/12, Stefan Sperling <st...@elego.de>
> wrote:
> >
> >> From: Stefan Sperling <st...@elego.de>
> >> Subject: Re: Limited subdirectory access
> >> To: "K F" <cm...@yahoo.com>
> >> Cc: "Andy Levy" <an...@gmail.com>,
> users@subversion.apache.org
> >> Date: Monday, January 30, 2012, 9:32 PM
> >> On Mon, Jan 30, 2012 at 01:14:53PM
> >> -0800, K F wrote:
> >> > --- On Mon, 1/30/12, Andy Levy <an...@gmail.com>
> >> wrote:
> >> > > have it setup in the authz file now:
> >> > > > [/]
> >> > > > @dev = rw
> >> > > > @qa = r
> >> > > >
> >> > > > [/ABC/DEF]
> >> > > > @dev1 = rw
> >> > > >
> >> > > > Do I need to be more specific?
> >> > > >
> >> > >
> >> > > What exactly isn't working?
> >> > >
> >> > > Is dev1 a group, or an individual?
> >> > >
> >> > > Do you have the case of the path matched
> exactly?
> >> The rules
> >> > > are case-sensitive.
> >> > >
> >> >
> >> > I am able to commit with a login that is in
> the dev
> >> group that is not in the dev1 group.
> >> >
> >> > The actual path is /svnrepo/ABC/DEF so I
> tried
> >> >
> >> > [/svnrepo/sandbox/tags]
> >> > @dev1 = rw
> >> >
> >> > and that doesn't work either. Based on the
> example in
> >> the file I also tried
> >> >
> >> > [repository:/svnrepo/sandbox/tags]
> >> > @dev1 = rw
> >> >
> >> > with no luck. Any ideas as to what I am doing
> wrong?
> >>
> >> You'll need to tighten permissions for the 'dev'
> group in
> >> /ABC/DEF also.
> >> [/]
> >> @dev = rw
> >> @qa = r
> >>
> >> [/ABC/DEF]
> >> @dev = r
> >> @dev1 = rw
> >>
> >> See this snippet from
> >> http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html
> >>   "Of course, permissions are inherited from
> parent to
> >> child directory.
> >>   That means we can specify a subdirectory with a
> >> different access policy
> >>   for Sally:
> >>
> >>   [calc:/branches/calc/bug-142]
> >>   harry = rw
> >>   sally = r
> >>
> >>   # give sally write access only to the 'testing'
> >> subdir
> >>   [calc:/branches/calc/bug-142/testing]
> >>   sally = rw
> >>
> >>   Now Sally can write to the testing subdirectory
> of
> >> the branch, but can
> >>   still only read other parts. Harry, meanwhile,
> >> continues to have
> >>   complete read/write access to the whole
> branch."
> >>
> >> The same applies when restricting access, rather
> than
> >> expanding it.
> >>
> >
> > I realize my explanation is wrong, my apologies. It is
> actually repo ABC with 40+ folders under it. I want to limit
> who has access to one of the folders (DEF). After looking at
> the svnbook, I thought the following would work but it is
> still not working:
> >
> > [ABC:/DEF]
> > @dev = r
> > @dev1 = rw
> 
> Can you check if order of the rules matters? Either putting
> this rule
> with [ABC:/DEF] before or after the other one (for [ABC:/]).
> I'm not
> sure, but I vaguely remember some prior discussion about
> this ...
> 
> -- 
> Johan
> 

I tried swapping the order and that didn't work either. Am I stating it correctly?

[ABC:/DEF]
@dev = r
@dev1 = rw

Do I need the ABC in the front?

Re: Limited subdirectory access

[Johan Corveleyn <jc...@gmail.com>]

On Mon, Jan 30, 2012 at 10:55 PM, K F <cm...@yahoo.com> wrote:
>
>
> --- On Mon, 1/30/12, Stefan Sperling <st...@elego.de> wrote:
>
>> From: Stefan Sperling <st...@elego.de>
>> Subject: Re: Limited subdirectory access
>> To: "K F" <cm...@yahoo.com>
>> Cc: "Andy Levy" <an...@gmail.com>, users@subversion.apache.org
>> Date: Monday, January 30, 2012, 9:32 PM
>> On Mon, Jan 30, 2012 at 01:14:53PM
>> -0800, K F wrote:
>> > --- On Mon, 1/30/12, Andy Levy <an...@gmail.com>
>> wrote:
>> > > have it setup in the authz file now:
>> > > > [/]
>> > > > @dev = rw
>> > > > @qa = r
>> > > >
>> > > > [/ABC/DEF]
>> > > > @dev1 = rw
>> > > >
>> > > > Do I need to be more specific?
>> > > >
>> > >
>> > > What exactly isn't working?
>> > >
>> > > Is dev1 a group, or an individual?
>> > >
>> > > Do you have the case of the path matched exactly?
>> The rules
>> > > are case-sensitive.
>> > >
>> >
>> > I am able to commit with a login that is in the dev
>> group that is not in the dev1 group.
>> >
>> > The actual path is /svnrepo/ABC/DEF so I tried
>> >
>> > [/svnrepo/sandbox/tags]
>> > @dev1 = rw
>> >
>> > and that doesn't work either. Based on the example in
>> the file I also tried
>> >
>> > [repository:/svnrepo/sandbox/tags]
>> > @dev1 = rw
>> >
>> > with no luck. Any ideas as to what I am doing wrong?
>>
>> You'll need to tighten permissions for the 'dev' group in
>> /ABC/DEF also.
>> [/]
>> @dev = rw
>> @qa = r
>>
>> [/ABC/DEF]
>> @dev = r
>> @dev1 = rw
>>
>> See this snippet from
>> http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html
>>   "Of course, permissions are inherited from parent to
>> child directory.
>>   That means we can specify a subdirectory with a
>> different access policy
>>   for Sally:
>>
>>   [calc:/branches/calc/bug-142]
>>   harry = rw
>>   sally = r
>>
>>   # give sally write access only to the 'testing'
>> subdir
>>   [calc:/branches/calc/bug-142/testing]
>>   sally = rw
>>
>>   Now Sally can write to the testing subdirectory of
>> the branch, but can
>>   still only read other parts. Harry, meanwhile,
>> continues to have
>>   complete read/write access to the whole branch."
>>
>> The same applies when restricting access, rather than
>> expanding it.
>>
>
> I realize my explanation is wrong, my apologies. It is actually repo ABC with 40+ folders under it. I want to limit who has access to one of the folders (DEF). After looking at the svnbook, I thought the following would work but it is still not working:
>
> [ABC:/DEF]
> @dev = r
> @dev1 = rw

Can you check if order of the rules matters? Either putting this rule
with [ABC:/DEF] before or after the other one (for [ABC:/]). I'm not
sure, but I vaguely remember some prior discussion about this ...

-- 
Johan

Re: Limited subdirectory access

[K F <cm...@yahoo.com>]

--- On Mon, 1/30/12, Stefan Sperling <st...@elego.de> wrote:

> From: Stefan Sperling <st...@elego.de>
> Subject: Re: Limited subdirectory access
> To: "K F" <cm...@yahoo.com>
> Cc: "Andy Levy" <an...@gmail.com>, users@subversion.apache.org
> Date: Monday, January 30, 2012, 9:32 PM
> On Mon, Jan 30, 2012 at 01:14:53PM
> -0800, K F wrote:
> > --- On Mon, 1/30/12, Andy Levy <an...@gmail.com>
> wrote:
> > > have it setup in the authz file now:
> > > > [/]
> > > > @dev = rw
> > > > @qa = r
> > > >
> > > > [/ABC/DEF]
> > > > @dev1 = rw
> > > >
> > > > Do I need to be more specific?
> > > >
> > > 
> > > What exactly isn't working?
> > > 
> > > Is dev1 a group, or an individual?
> > > 
> > > Do you have the case of the path matched exactly?
> The rules
> > > are case-sensitive.
> > > 
> > 
> > I am able to commit with a login that is in the dev
> group that is not in the dev1 group.
> > 
> > The actual path is /svnrepo/ABC/DEF so I tried
> > 
> > [/svnrepo/sandbox/tags]
> > @dev1 = rw
> > 
> > and that doesn't work either. Based on the example in
> the file I also tried
> > 
> > [repository:/svnrepo/sandbox/tags]
> > @dev1 = rw
> > 
> > with no luck. Any ideas as to what I am doing wrong?
> 
> You'll need to tighten permissions for the 'dev' group in
> /ABC/DEF also.
> [/]
> @dev = rw
> @qa = r
> 
> [/ABC/DEF]
> @dev = r      
> @dev1 = rw
> 
> See this snippet from
> http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html
>   "Of course, permissions are inherited from parent to
> child directory.
>   That means we can specify a subdirectory with a
> different access policy
>   for Sally:
>   
>   [calc:/branches/calc/bug-142]
>   harry = rw
>   sally = r
>   
>   # give sally write access only to the 'testing'
> subdir
>   [calc:/branches/calc/bug-142/testing]
>   sally = rw
>   
>   Now Sally can write to the testing subdirectory of
> the branch, but can
>   still only read other parts. Harry, meanwhile,
> continues to have
>   complete read/write access to the whole branch."
> 
> The same applies when restricting access, rather than
> expanding it.
> 

I realize my explanation is wrong, my apologies. It is actually repo ABC with 40+ folders under it. I want to limit who has access to one of the folders (DEF). After looking at the svnbook, I thought the following would work but it is still not working:

[ABC:/DEF]
@dev = r
@dev1 = rw

Re: Limited subdirectory access

[Stefan Sperling <st...@elego.de>]

On Mon, Jan 30, 2012 at 01:14:53PM -0800, K F wrote:
> --- On Mon, 1/30/12, Andy Levy <an...@gmail.com> wrote:
> > have it setup in the authz file now:
> > > [/]
> > > @dev = rw
> > > @qa = r
> > >
> > > [/ABC/DEF]
> > > @dev1 = rw
> > >
> > > Do I need to be more specific?
> > >
> > 
> > What exactly isn't working?
> > 
> > Is dev1 a group, or an individual?
> > 
> > Do you have the case of the path matched exactly? The rules
> > are case-sensitive.
> > 
> 
> I am able to commit with a login that is in the dev group that is not in the dev1 group.
> 
> The actual path is /svnrepo/ABC/DEF so I tried
> 
> [/svnrepo/sandbox/tags]
> @dev1 = rw
> 
> and that doesn't work either. Based on the example in the file I also tried
> 
> [repository:/svnrepo/sandbox/tags]
> @dev1 = rw
> 
> with no luck. Any ideas as to what I am doing wrong?

You'll need to tighten permissions for the 'dev' group in /ABC/DEF also.
[/]
@dev = rw
@qa = r

[/ABC/DEF]
@dev = r      
@dev1 = rw

See this snippet from
http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html
  "Of course, permissions are inherited from parent to child directory.
  That means we can specify a subdirectory with a different access policy
  for Sally:
  
  [calc:/branches/calc/bug-142]
  harry = rw
  sally = r
  
  # give sally write access only to the 'testing' subdir
  [calc:/branches/calc/bug-142/testing]
  sally = rw
  
  Now Sally can write to the testing subdirectory of the branch, but can
  still only read other parts. Harry, meanwhile, continues to have
  complete read/write access to the whole branch."

The same applies when restricting access, rather than expanding it.

Re: Limited subdirectory access

[K F <cm...@yahoo.com>]

--- On Mon, 1/30/12, Andy Levy <an...@gmail.com> wrote:

> From: Andy Levy <an...@gmail.com>
> Subject: Re: Limited subdirectory access
> To: "K F" <cm...@yahoo.com>
> Cc: users@subversion.apache.org
> Date: Monday, January 30, 2012, 8:57 PM
> On Mon, Jan 30, 2012 at 15:52, K F
> <cm...@yahoo.com>
> wrote:
> >
> >
> > --- On Mon, 1/30/12, Andy Levy <an...@gmail.com>
> wrote:
> >
> >> From: Andy Levy <an...@gmail.com>
> >> Subject: Re: Limited subdirectory access
> >> To: "K F" <cm...@yahoo.com>
> >> Cc: users@subversion.apache.org
> >> Date: Monday, January 30, 2012, 8:45 PM
> >> On Mon, Jan 30, 2012 at 15:39, K F
> >> <cm...@yahoo.com>
> >> wrote:
> >> > We have repo ABC with 40+ subdirectories.
> Current svn
> >> security allows developers rw permissions and qa
> read only
> >> to ABC. We would like to have a subgroup of dev to
> have
> >> access to subdirectory DEF (ABC/DEF). Is there a
> way of
> >> doing this, or does the parent directory access
> take
> >> precedent?
> >>
> >> The most specific path matches first. Just add a
> rule for
> >> that
> >> subgroup to have access to ABC/DEF and they'll be
> set.
> >>
> >
> > OK, then I must be doing something wrong. This is how I
> have it setup in the authz file now:
> > [/]
> > @dev = rw
> > @qa = r
> >
> > [/ABC/DEF]
> > @dev1 = rw
> >
> > Do I need to be more specific?
> >
> 
> What exactly isn't working?
> 
> Is dev1 a group, or an individual?
> 
> Do you have the case of the path matched exactly? The rules
> are case-sensitive.
> 

I am able to commit with a login that is in the dev group that is not in the dev1 group.

The actual path is /svnrepo/ABC/DEF so I tried

[/svnrepo/sandbox/tags]
@dev1 = rw

and that doesn't work either. Based on the example in the file I also tried

[repository:/svnrepo/sandbox/tags]
@dev1 = rw

with no luck. Any ideas as to what I am doing wrong?

Re: Limited subdirectory access

[Andy Levy <an...@gmail.com>]

On Mon, Jan 30, 2012 at 15:52, K F <cm...@yahoo.com> wrote:
>
>
> --- On Mon, 1/30/12, Andy Levy <an...@gmail.com> wrote:
>
>> From: Andy Levy <an...@gmail.com>
>> Subject: Re: Limited subdirectory access
>> To: "K F" <cm...@yahoo.com>
>> Cc: users@subversion.apache.org
>> Date: Monday, January 30, 2012, 8:45 PM
>> On Mon, Jan 30, 2012 at 15:39, K F
>> <cm...@yahoo.com>
>> wrote:
>> > We have repo ABC with 40+ subdirectories. Current svn
>> security allows developers rw permissions and qa read only
>> to ABC. We would like to have a subgroup of dev to have
>> access to subdirectory DEF (ABC/DEF). Is there a way of
>> doing this, or does the parent directory access take
>> precedent?
>>
>> The most specific path matches first. Just add a rule for
>> that
>> subgroup to have access to ABC/DEF and they'll be set.
>>
>
> OK, then I must be doing something wrong. This is how I have it setup in the authz file now:
> [/]
> @dev = rw
> @qa = r
>
> [/ABC/DEF]
> @dev1 = rw
>
> Do I need to be more specific?
>

What exactly isn't working?

Is dev1 a group, or an individual?

Do you have the case of the path matched exactly? The rules are case-sensitive.

Re: Limited subdirectory access

[K F <cm...@yahoo.com>]

--- On Mon, 1/30/12, Andy Levy <an...@gmail.com> wrote:

> From: Andy Levy <an...@gmail.com>
> Subject: Re: Limited subdirectory access
> To: "K F" <cm...@yahoo.com>
> Cc: users@subversion.apache.org
> Date: Monday, January 30, 2012, 8:45 PM
> On Mon, Jan 30, 2012 at 15:39, K F
> <cm...@yahoo.com>
> wrote:
> > We have repo ABC with 40+ subdirectories. Current svn
> security allows developers rw permissions and qa read only
> to ABC. We would like to have a subgroup of dev to have
> access to subdirectory DEF (ABC/DEF). Is there a way of
> doing this, or does the parent directory access take
> precedent?
> 
> The most specific path matches first. Just add a rule for
> that
> subgroup to have access to ABC/DEF and they'll be set.
> 

OK, then I must be doing something wrong. This is how I have it setup in the authz file now:
[/]
@dev = rw
@qa = r

[/ABC/DEF]
@dev1 = rw

Do I need to be more specific?

Re: Limited subdirectory access

[Andy Levy <an...@gmail.com>]

On Mon, Jan 30, 2012 at 15:39, K F <cm...@yahoo.com> wrote:
> We have repo ABC with 40+ subdirectories. Current svn security allows developers rw permissions and qa read only to ABC. We would like to have a subgroup of dev to have access to subdirectory DEF (ABC/DEF). Is there a way of doing this, or does the parent directory access take precedent?

The most specific path matches first. Just add a rule for that
subgroup to have access to ABC/DEF and they'll be set.

Re: Limited subdirectory access

[K F <cm...@yahoo.com>]

--- On Tue, 1/31/12, Andy Levy <an...@gmail.com> wrote:

> From: Andy Levy <an...@gmail.com>
> Subject: Re: Limited subdirectory access
> To: "K F" <cm...@yahoo.com>
> Cc: "users@subversion.apache.org" <us...@subversion.apache.org>, "MarkCooke" <ma...@siemens.com>
> Date: Tuesday, January 31, 2012, 1:54 PM
> On Tue, Jan 31, 2012 at 08:22, K F
> <cm...@yahoo.com>
> wrote:
> >
> >
> > --- On Tue, 1/31/12, Cooke, Mark <ma...@siemens.com>
> wrote:
> >
> >> From: Cooke, Mark <ma...@siemens.com>
> >> Subject: RE: Limited subdirectory access
> >> To: "K F" <cm...@yahoo.com>,
> "users@subversion.apache.org"
> <us...@subversion.apache.org>
> >> Date: Tuesday, January 31, 2012, 9:25 AM
> >> > -----Original Message-----
> >> > From: K F [mailto:cmkforce@yahoo.com]
> >>
> >> > Sent: 30 January 2012 20:40
> >> > To: users@subversion.apache.org
> >> > Subject: Limited subdirectory access
> >> >
> >> > We have repo ABC with 40+ subdirectories.
> Current svn
> >> > security allows developers rw permissions and
> qa read
> >> only to
> >> > ABC. We would like to have a subgroup of dev
> to have
> >> access
> >> > to subdirectory DEF (ABC/DEF). Is there a way
> of doing
> >> this,
> >> > or does the parent directory access take
> precedent?
> >> >
> >> > Thanks,
> >> > Rich
> >> >
> >>
> >> http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html
> >>
> >> The most specific access takes precedent.  You
> would
> >> need to 'revoke' the normal developer's access to
> the subdir
> >> (if I understand you correctly) by assigning either
> 'r' or
> >> just nothing to their group...
> >>
> >> ~ mark c
> >>
> > I tried without anything and still no good
> >
> > [/DEF]
> > @dev =
> > @dev1 = rw
> >
> >
> > I have setup a test repo called sandbox with some
> subdirectories. Here is my authz file minus all the
> commented out lines:
> >
> > [aliases]
> >
> > [groups]
> > dev = rcrespo, test
> > dev1 = test
> > qa = qagroup
> 
> I can't explain why, and maybe it's been fixed in a later
> version, but
> I seem to recall having an issue with path-based
> authorization when
> the groups were defined with spaces. IOW, this:
> 
> dev = rcrespo, test
> 
> did not work properly but this:
> 
> dev = rcrespo,test
> 
> did.
> 
I removed the space and that didn't work. I'm open to trying anything that is suggested.

Re: Limited subdirectory access

[Andy Levy <an...@gmail.com>]

On Tue, Jan 31, 2012 at 08:22, K F <cm...@yahoo.com> wrote:
>
>
> --- On Tue, 1/31/12, Cooke, Mark <ma...@siemens.com> wrote:
>
>> From: Cooke, Mark <ma...@siemens.com>
>> Subject: RE: Limited subdirectory access
>> To: "K F" <cm...@yahoo.com>, "users@subversion.apache.org" <us...@subversion.apache.org>
>> Date: Tuesday, January 31, 2012, 9:25 AM
>> > -----Original Message-----
>> > From: K F [mailto:cmkforce@yahoo.com]
>>
>> > Sent: 30 January 2012 20:40
>> > To: users@subversion.apache.org
>> > Subject: Limited subdirectory access
>> >
>> > We have repo ABC with 40+ subdirectories. Current svn
>> > security allows developers rw permissions and qa read
>> only to
>> > ABC. We would like to have a subgroup of dev to have
>> access
>> > to subdirectory DEF (ABC/DEF). Is there a way of doing
>> this,
>> > or does the parent directory access take precedent?
>> >
>> > Thanks,
>> > Rich
>> >
>>
>> http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html
>>
>> The most specific access takes precedent.  You would
>> need to 'revoke' the normal developer's access to the subdir
>> (if I understand you correctly) by assigning either 'r' or
>> just nothing to their group...
>>
>> ~ mark c
>>
> I tried without anything and still no good
>
> [/DEF]
> @dev =
> @dev1 = rw
>
>
> I have setup a test repo called sandbox with some subdirectories. Here is my authz file minus all the commented out lines:
>
> [aliases]
>
> [groups]
> dev = rcrespo, test
> dev1 = test
> qa = qagroup

I can't explain why, and maybe it's been fixed in a later version, but
I seem to recall having an issue with path-based authorization when
the groups were defined with spaces. IOW, this:

dev = rcrespo, test

did not work properly but this:

dev = rcrespo,test

did.

RE: Limited subdirectory access

["Cooke, Mark" <ma...@siemens.com>]

Dang, missed all the other replies, sorry... 

> -----Original Message-----
> From: Cooke, Mark 
> Sent: 31 January 2012 09:25
> To: K F; users@subversion.apache.org
> Subject: RE: Limited subdirectory access 
> 
> > -----Original Message-----
> > From: K F [mailto:cmkforce@yahoo.com] 
> > Sent: 30 January 2012 20:40
> > To: users@subversion.apache.org
> > Subject: Limited subdirectory access 
> > 
> > We have repo ABC with 40+ subdirectories. Current svn 
> > security allows developers rw permissions and qa read only to 
> > ABC. We would like to have a subgroup of dev to have access 
> > to subdirectory DEF (ABC/DEF). Is there a way of doing this, 
> > or does the parent directory access take precedent?
> > 
> > Thanks,
> > Rich
> > 
> 
> http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbaseda
> uthz.html
> 
> The most specific access takes precedent.  You would need to 
> 'revoke' the normal developer's access to the subdir (if I 
> understand you correctly) by assigning either 'r' or just 
> nothing to their group...
> 
> ~ mark c
> 

Re: Limited subdirectory access

[Philip Martin <ph...@wandisco.com>]

K F <cm...@yahoo.com> writes:

> Apache was restarted and I can still commit with rcrespo.
>
> Here is what is in svnserve.conf in case something is set wrong there:

Apache doesn't use svnserve.conf.

-- 
Philip

Re: Limited subdirectory access

[K F <cm...@yahoo.com>]

--- On Tue, 1/31/12, Philip Martin <ph...@wandisco.com> wrote:

> From: Philip Martin <ph...@wandisco.com>
> Subject: Re: Limited subdirectory access
> To: "K F" <cm...@yahoo.com>
> Cc: "users@subversion.apache.org" <us...@subversion.apache.org>, "MarkCooke" <ma...@siemens.com>
> Date: Tuesday, January 31, 2012, 2:00 PM
> Stefan Sperling <st...@elego.de>
> writes:
> 
> > On Tue, Jan 31, 2012 at 05:22:15AM -0800, K F wrote:
> >> [groups]
> >> dev = rcrespo, test
> >> dev1 = test
> >> qa = qagroup
> >> 
> >> [/DEF]
> >> @dev = 
> >> @dev1 = rw
> >> 
> >> [/]
> >> @dev = rw
> >> @qa = r
> >> 
> >> I am still able to commit files in the DEF
> directory using the rcrespo login.
> >
> > Hmmm... I think you'll have to revoke the dev's group
> rw access on the root.
> > Then grant write permissions to subtrees individually.
> I suspect this is
> > because permissions for all path components are
> combined to form the final
> > set of permissions for a given full path.
> >
> > The book was wrong about this for a long time.
> > It claimed that permissions for earlier components of a
> path were
> > overridden by permissions for later components, which
> is incorrect.
> 
> I think that's misleading.  The error in the book
> involved a user
> matching multiple lines for a single location, like the user
> 'test'
> above.  When that happens the user gets the union of
> all the
> permissions, the book mistakenly claimed the first matching
> line was
> used.
> 
> Using the rules above in a file z.z:
> 
> $ tools/server-side/svnauthz-validate z.z rcrespo /ABC
> user 'rcrespo' has rw access to '/ABC'
> $ tools/server-side/svnauthz-validate z.z rcrespo /DEF
> user 'rcrespo' has no access to '/DEF'
> $ tools/server-side/svnauthz-validate z.z test /DEF
> user 'test' has rw access to '/DEF'
> 
> It appears the authz file is correct and denies rcrespo
> access to /DEF.
> 
> I suspect the problem is a failure to enable authz at
> all--editing the
> wrong config file, accessing the wrong repository, failed to
> restart
> apache, something like that.
> 
> -- 
> Philip
> 

I verified the file is correct. I tried committing with a login other than rcrespo or test and it does not allow the commit. Apache was restarted and I can still commit with rcrespo.

Here is what is in svnserve.conf in case something is set wrong there:
[general]
anon-access = none
auth-access = write
password-db = passwd
authz-db = authz

Re: Limited subdirectory access

[Philip Martin <ph...@wandisco.com>]

Stefan Sperling <st...@elego.de> writes:

> On Tue, Jan 31, 2012 at 05:22:15AM -0800, K F wrote:
>> [groups]
>> dev = rcrespo, test
>> dev1 = test
>> qa = qagroup
>> 
>> [/DEF]
>> @dev = 
>> @dev1 = rw
>> 
>> [/]
>> @dev = rw
>> @qa = r
>> 
>> I am still able to commit files in the DEF directory using the rcrespo login.
>
> Hmmm... I think you'll have to revoke the dev's group rw access on the root.
> Then grant write permissions to subtrees individually. I suspect this is
> because permissions for all path components are combined to form the final
> set of permissions for a given full path.
>
> The book was wrong about this for a long time.
> It claimed that permissions for earlier components of a path were
> overridden by permissions for later components, which is incorrect.

I think that's misleading.  The error in the book involved a user
matching multiple lines for a single location, like the user 'test'
above.  When that happens the user gets the union of all the
permissions, the book mistakenly claimed the first matching line was
used.

Using the rules above in a file z.z:

$ tools/server-side/svnauthz-validate z.z rcrespo /ABC
user 'rcrespo' has rw access to '/ABC'
$ tools/server-side/svnauthz-validate z.z rcrespo /DEF
user 'rcrespo' has no access to '/DEF'
$ tools/server-side/svnauthz-validate z.z test /DEF
user 'test' has rw access to '/DEF'

It appears the authz file is correct and denies rcrespo access to /DEF.

I suspect the problem is a failure to enable authz at all--editing the
wrong config file, accessing the wrong repository, failed to restart
apache, something like that.

-- 
Philip

Re: Limited subdirectory access

[Stefan Sperling <st...@elego.de>]

On Tue, Jan 31, 2012 at 05:22:15AM -0800, K F wrote:
> I tried without anything and still no good
> 
> [/DEF]
> @dev = 
> @dev1 = rw
> 
> 
> I have setup a test repo called sandbox with some subdirectories. Here is my authz file minus all the commented out lines:
> 
> [aliases]
> 
> [groups]
> dev = rcrespo, test
> dev1 = test
> qa = qagroup
> 
> [/DEF]
> @dev = 
> @dev1 = rw
> 
> [/]
> @dev = rw
> @qa = r
> 
> I am still able to commit files in the DEF directory using the rcrespo login.

Hmmm... I think you'll have to revoke the dev's group rw access on the root.
Then grant write permissions to subtrees individually. I suspect this is
because permissions for all path components are combined to form the final
set of permissions for a given full path.

The book was wrong about this for a long time.
It claimed that permissions for earlier components of a path were
overridden by permissions for later components, which is incorrect.

When the error was found we decided to change the book instead of
changing to code to avoid breaking existing authz setups that rely
on this behaviour.
This snippet from the book tries to explain this. But it's not very
clear because it only talks about individual users vs. group
permissions:

  "Another important fact is that group permissions are not overridden by
  individual user permissions. Rather, the combination of all matching
  permissions is granted. In the prior example, Jane is a member of the
  paint-developers group, which has read/write access. Combined with the
  jane = r rule, this still gives Jane read/write access. Permissions for
  group members can only be extended beyond the permissions the group
  already has. Restricting users who are part of a group to less than
  their group's permissions is impossible."
  http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html

I suspect the same holds for group vs. group permissions, i.e. you cannot
restrict permissions for the 'dev' group anywhere in the tree since
you've already granted rw permissions on the root folder.

So, assuming your 'dev' group is working in subtrees /ABC and /GHI
I think you'll need:

 [groups]
 dev = rcrespo, test
 dev1 = test
 qa = qagroup
 
 [/]
 # no access at all for 'dev' at the root:
 @dev =
 @qa = r
 
 [/DEF]
 # the following commented line is now implied so not needed:
 #@dev = 
 @dev1 = rw
 
 # grant 'dev' read-write on subtrees they need:
 [/ABC]
 @dev = rw
 [/GHI]
 @dev = rw

Does this work as expected?

RE: Limited subdirectory access

[K F <cm...@yahoo.com>]

--- On Tue, 1/31/12, Cooke, Mark <ma...@siemens.com> wrote:

> From: Cooke, Mark <ma...@siemens.com>
> Subject: RE: Limited subdirectory access
> To: "K F" <cm...@yahoo.com>, "users@subversion.apache.org" <us...@subversion.apache.org>
> Date: Tuesday, January 31, 2012, 9:25 AM
> > -----Original Message-----
> > From: K F [mailto:cmkforce@yahoo.com]
> 
> > Sent: 30 January 2012 20:40
> > To: users@subversion.apache.org
> > Subject: Limited subdirectory access 
> > 
> > We have repo ABC with 40+ subdirectories. Current svn 
> > security allows developers rw permissions and qa read
> only to 
> > ABC. We would like to have a subgroup of dev to have
> access 
> > to subdirectory DEF (ABC/DEF). Is there a way of doing
> this, 
> > or does the parent directory access take precedent?
> > 
> > Thanks,
> > Rich
> > 
> 
> http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html
> 
> The most specific access takes precedent.  You would
> need to 'revoke' the normal developer's access to the subdir
> (if I understand you correctly) by assigning either 'r' or
> just nothing to their group...
> 
> ~ mark c
> 
I tried without anything and still no good

[/DEF]
@dev = 
@dev1 = rw


I have setup a test repo called sandbox with some subdirectories. Here is my authz file minus all the commented out lines:

[aliases]

[groups]
dev = rcrespo, test
dev1 = test
qa = qagroup

[/DEF]
@dev = 
@dev1 = rw

[/]
@dev = rw
@qa = r

I am still able to commit files in the DEF directory using the rcrespo login.

RE: Limited subdirectory access

["Cooke, Mark" <ma...@siemens.com>]

> -----Original Message-----
> From: K F [mailto:cmkforce@yahoo.com] 
> Sent: 30 January 2012 20:40
> To: users@subversion.apache.org
> Subject: Limited subdirectory access 
> 
> We have repo ABC with 40+ subdirectories. Current svn 
> security allows developers rw permissions and qa read only to 
> ABC. We would like to have a subgroup of dev to have access 
> to subdirectory DEF (ABC/DEF). Is there a way of doing this, 
> or does the parent directory access take precedent?
> 
> Thanks,
> Rich
> 

http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html

The most specific access takes precedent.  You would need to 'revoke' the normal developer's access to the subdir (if I understand you correctly) by assigning either 'r' or just nothing to their group...

~ mark c