I'm doing some maintenance on a private svn server. Authentication is handled through Apache basic HTTP+mod_authz_svn. I need to have it so every user has read/write access, except for a single read-only user. The read-only user still needs to be authenticated, though. I setup my authz config file like this:
[/] * = rw read-only = rBut this doesn't work. The user "read-only" can still commit changes. I can make things read-only for everyone, but the * bit seems to override what I'm trying to set for "read-only." FWIW, relevant piece of the Apache conf is:
<Location /repos> DAV svn SVNPath ... SVNIndexXSLT "/svnindex.xsl" AuthzSVNAccessFile ... AuthType Basic AuthName ... AuthUserFile ... Require valid-user </Location>
-
In this case, the read-only user has still write access as it also matches the * group.
A safe way to achieve what you want is to create a group of all users except read-only, e.g.
[groups] all-but-ro = harry, sally, ... [/] @all-but-ro = rw read-only = r(alternatively, you might just generate many =rw lines out of the passwd file)
It might be that svn matches from top to bottom - this is not documented, and I didn't test. So try
[/] read-only = r * = rwalastairs : +1: _Exactly_ what I was going to say :-)iconoplast : I tried the reverse matching, doesn't work. Is there a way to make the group automatically? I'd rather not have to rebuild this file whenever a user is added to the server.Martin v. Löwis : If that is the complete file - what is the problem with building it automatically? -
Hmmm, the previous posts may be correct on the ACL order, but...
My configuration includes
AuthzSVNAccessFile "<path-to-svn-acl-file>"Might this also be a problem?
0 comments:
Post a Comment