Well, After lurking on this list for a year or so, this access system seems to be a problem for many users. It seems that there are all sorts of strange behaviour going on and one has to try all sorts of combinations before you find something working the way you want it to.
We had a situation a bit different from you. We wanted subfolders to be rw access controlled for a group of users, and give no access to the rest of the repository to that group of users. We found out that all users needed r access to topfolder in the repos to be able to create tags (why I don't know?). So the way we ended up setting things up was like this : [java:/] *=r @admin=rw [java:/xx/yy] @admin=rw @yy=rw ~yy = continuum=r [java:/xx/zz] @admin=rw @zz=rw ~zz = continuum=r I have not been able to find a detailed explanation as to how this access system really works, what overrides what etc. so someone with a deep knowledge of this should try and document it properly. As a matter of fact, the ~construct was only discovered by me looking through the source to try and find out how this really worked. It is not documented in the SVN book! Geir -----Original Message----- From: Gabriel Ricardo [mailto:gabriel.rica...@gmail.com] Sent: 16. desember 2009 20:36 To: users@subversion.apache.org Subject: restricting sub-directory permissions I cannot figure out how to restrict permissions on a sub-directory. What I want is to have anonymous read/write access to everything except a sub-directory, where only two users have read/write and everyone else has no access (read or write). I've done a lot of reading of the manual and googling the users list but can't find anything that solves my problem. Much appreciated if someone can point out my mistake. I'm using Redhat 5.2, which comes with subversion 1.4.2 (r22196). and apache 2.2.3 I have one repository at /usr/local/vn7/repos The relevant parts of my httpd.conf looks like this # SVN setup <Location /svn> DAV svn SVNPath /usr/local/vn7/repos # our access control policy AuthzSVNAccessFile /usr/local/vn7/etc/svn_auth_paths # try anonymous access first, resort to real # authentication if necessary. Satisfy Any Require valid-user # how to authenticate a user AuthType Basic AuthName "Subversion repository" AuthUserFile /usr/local/vn7/etc/svn_auth_users </Location> My AuthUserFile looks like this: [/] * = rw [/Delta/trunk/qsrc/strategies] mchen = rw gricardo = rw * = I want to restrict the /Delta/trunk/qsrc/strategies directory to only have the two users mentioned in the file to access it. What happens is that when I update (svn update) from the Delta/trunk/qsrc directory of a "working copy" as user gricardo (or any other user), I do not get the updates for the strategies directory. I don't get any prompt asking for password, or any permission error messages, it just does a normal update but doesn't seem to know anything about the sub-directory of interest. I don't get any errors in the httpd log files. The httpd access_log has this 10.10.10.220 - - [16/Dec/2009:11:12:50 -0800] "PROPFIND /svn/Delta/trunk/qsrc HTTP/1.1" 207 698 "-" "SVN/1.4.2 (r22196) neon/0.25.5" 10.10.10.220 - - [16/Dec/2009:11:12:50 -0800] "PROPFIND /svn/!svn/vcc/default HTTP/1.1" 207 390 "-" "SVN/1.4.2 (r22196) neon/0.25.5" 10.10.10.220 - - [16/Dec/2009:11:12:50 -0800] "PROPFIND /svn/!svn/bln/376 HTTP/1.1" 207 445 "-" "SVN/1.4.2 (r22196) neon/0.25.5" 10.10.10.220 - - [16/Dec/2009:11:12:50 -0800] "PROPFIND /svn/Delta/trunk/qsrc HTTP/1.1" 207 698 "-" "SVN/1.4.2 (r22196) neon/0.25.5" 10.10.10.220 - - [16/Dec/2009:11:12:50 -0800] "REPORT /svn/!svn/vcc/default HTTP/1.1" 200 4247 "-" "SVN/1.4.2 (r22196) neon/0.25.5" The weird thing is if I change the path in the AuthUserFile to this (add a forward slash at the end of the path): [/Delta/trunk/qsrc/strategies/] ...then I can update and get the directory and changes under it, but as ANY user. It does not restrict access. I've tried re-ordering the user/anonymous permissions lines, and I just cannot get the behavior I want. I can get other types of restricted asses to work. For example, I can restrict the entire repo to only have user gricardo = rw. This works, and it prompts user gricardo for a password and then allows updates/commits, etc.... Please help. Thanks, -Gabriel
