5
votes

I'm doing some maintenance on a private svn server. Authentication is handled through Apache basic HTTP+mod_authz_svn. I need to have it so every user has read/write access, except for a single read-only user. The read-only user still needs to be authenticated, though. I setup my authz config file like this:

[/]
* = rw
read-only = r

But this doesn't work. The user "read-only" can still commit changes. I can make things read-only for everyone, but the * bit seems to override what I'm trying to set for "read-only."

FWIW, relevant piece of the Apache conf is:

 <Location /repos>
   DAV svn
   SVNPath ...
   SVNIndexXSLT "/svnindex.xsl"

   AuthzSVNAccessFile ...

   AuthType Basic
   AuthName ...
   AuthUserFile ...
   Require valid-user
 </Location>
2

2 Answers

8
votes

In this case, the read-only user has still write access as it also matches the * group.

A safe way to achieve what you want is to create a group of all users except read-only, e.g.

[groups]
all-but-ro = harry, sally, ...

[/]
@all-but-ro = rw
read-only = r

(alternatively, you might just generate many =rw lines out of the passwd file)

It might be that svn matches from top to bottom - this is not documented, and I didn't test. So try

[/]
read-only = r
* = rw
0
votes

Hmmm, the previous posts may be correct on the ACL order, but...

My configuration includes

AuthzSVNAccessFile "<path-to-svn-acl-file>"

Might this also be a problem?