On 2013-12-01 15:39, Peter Flynn wrote: > I have a number of svn repositories running under Apache+subversion on > CentOS6/64, with Submin to provide a web GUI to manage them: > > server.name/svn/foo > server.name/svn/bar > server.name/svn/blort > etc > > All of them are private; all but one of them are single-user (me) so > that I can carry on working from any of my machines in multiple > locations. One of them is shared with colleagues on a project: they all > have read/write privs on that repo. > > The URIs are not published or linked, and my colleagues are all well > aware of the need to keep their shared URI private. But the requirement > is that none of them must be open to casual read access via a web > browser, in case someone happen to stumble upon or guess the URI. > > I am having problems getting the access privs right, as they keep > causing "svn: E220000: Not authorized to open root of edit operation" > during an svn up. However, in a long exchange with the very helpful > submin support > (https://ssl.supermind.nl/collab/projects/submin/ticket/336) we have > failed to identify settings that work. > > Currently the svn/conf/authz file says > >> [groups] >> dev = a,b,c,d,e,me >> >> [foo:/] >> @dev = rw >> >> [bar:/] >> me = rw >> >> [blort:/] >> me = rw > > The Apache conf.d/subversion.conf says: > >> <Location /svn> >> DAV svn >> SVNParentPath /var/lib/submin/svn >> # removed GET from LimitExcept to prevent casual browsing >> <LimitExcept PROPFIND OPTIONS REPORT> >> AuthType Basic >> AuthName "Authorization Realm" >> AuthUserFile /etc/svn.auth >> Require valid-user >> </LimitExcept> >> </Location> > > and svn.auth specifies a username:encryptedpassword pair for each member > of [groups] in the usual way. > > 1. Browsing with a web browser causes a prompt for the username/password > as expected. > > 2. An svn ci operation works fine. > > 3. An svn up operation fails, and always causes an E220000 error. > > 4. Replacing the GET in the LimitExcept config allows svn up to work > without error, but allows casual browsing of the web interface. > > Is there a way to prevent the casual browsing while avoiding the E220000 > error? >
You do not have AuthzSVNAccessFile $path/to/authz in your Location config. -- olli
