Platform/Versions: Windows Server 2008 R2 Std SP1 (64 bit) CollabNet Subversion Apache 2.2.23 (win32) CollabNet Subversion Client Svnserve V1.7.8 Authentication using SSPI (active directory) Tortoise SVN Client V1.8.11 (64 bit) or higher on Windows 7 Pro We use an access control file to limit who has access to subversion top-level repositories. We are now wanting to limit access to certain folders under the top-level. We’ve referenced the following examples, but they don’t seem to work for us.
https://nithint.wordpress.com/2009/12/17/format-of-svn-access-file-for-path-based-authorization/
https://www.open.collab.net/community/subversion/svnbook/svn.serverconfig.pathbasedauthz.html
We have found that if you have access at the top level, then you get access to all lower level folders including the folders where someone should be denied access. Additionally, if you don’t have access at the top level but are given access at the lower level, you are still blocked from accessing the lower level. (We’re ok with the latter but find it curious as it seems to contradict what the websites say regarding permissions, that is, permissions at lower levels should override permissions at upper levels.) The access control at the lower level seems to be ignored.
What we want:
Junk_repo – top-level, grant Beth, Eric and Joe access
Junk_repo/Commercial – grant Beth, Eric and Joe access
Junk_repo/Military – grant Beth & Eric access. Deny Joe access
We tried using groups and setting the permissions by group. (We use domain\userid active directory authentication therefore our access control file also uses domain\userid format.)
The groups:
Junk_repo_team = domain\beth, domain
\eric, domain
\joe
Junk_repo_comm_team = domain\beth, domain\eric, domain\joe
Junk_repo_mil_team = domain\beth, domain\eric (No Joe)
The access:
[Junk_repo:/]
@Junk_repo_team = rw (Beth, Eric Joe have access)
[Junk_repo:/Commercial]
@Junk_repo_comm_team = rw (commercial team (Beth, Eric, Joe) has access)
[Junk_repo:/Military]
@Junk_repo_mil_team = rw (military team (Beth, Eric) has access. No access for Joe)
The above failed so we then tried setting permissions by listing the userids at each level:
[Junk_repo:/]
domain\beth = rw (Beth, Eric and Joe have access)
domain\eric = rw
domain\joe = rw
[Junk_repo:/Commercial]
domain\beth = rw (Beth, Eric and Joe have access)
domain\eric = rw
domain\joe = rw
[Junk_repo:/Military]
domain\beth = rw (Beth and Eric have access. Joe does not have access.)
domain\eric = rw
#We even tried specifically denying Joe access to the Military folder:
domain\joe=
In both scenarios Joe was able to access the Junk_repo/Military folder where we specifically did not want him to have access to it.
Do you have any experience with blocking access at various levels of a repo? If so, do you see anything obvious that we’re doing wrong?
Last updated