> -----Original Message----- > From: Henk P. Penning [mailto:penn...@uu.nl] > Sent: dinsdag 17 januari 2017 08:50 > To: Daniel Shahaf <d...@daniel.shahaf.name> > Cc: users@subversion.apache.org > Subject: Re: problem authz_svn_module > > On Mon, 16 Jan 2017, Daniel Shahaf wrote: > > > Date: Mon, 16 Jan 2017 19:48:44 +0100 > > From: Daniel Shahaf <d...@daniel.shahaf.name> > > To: Henk P. Penning <penn...@uu.nl> > > Cc: users@subversion.apache.org > > Subject: Re: problem authz_svn_module > > > > Henk P. Penning wrote on Sun, Jan 15, 2017 at 10:02:12 +0100: > > Hi Daniel, > > >> but (and this is the PROBLEM) the checkout command prompts > >> for a username/password : > >> > >> % svn co //svn.science.uu.nl/repos/project.mirmon/trunk > >> > >> With the "LimitExcept" lines in the config, the checkout > >> command works, although some errors appear in the log > >> (see below). > >> > >> So, it appears that the 'checkout' command does a > >> > >> PROPFIND /repos/project.mirmon/!svn/rvr/64/trunk > >> > >> which causes the username/password-prompt when the > >> "LimitExcept" lines are omitted. > >> > >> -- Does this diagnosis make sense ? > >> -- How do I make this work, without the LimitExcept trick ? > > > > LimitExcept is actually the documented recommendation; see > > http://svnbook.red- > bean.com/nightly/en/svn.serverconfig.httpd.html#svn.serverconfig.httpd.a > uthz > > (second code snippet) > > Eh ; LimitExcept (together with GET PROPFIND OPTIONS REPORT) is > mentioned in the context of "anonymous read" and "valid-user write" > [the "GET" is a give-away] ; different case, I think.
Subversion uses a number of methods on both public and private URLs. With the default configuration the private urls are below the magic '!svn' subdir, but this may be configured differently (and change in future versions). Usually every Subversion client will start by performing one or more OPTIONS requests, followed by other operations. LIMITEXCEPT <method>... limits every method except the specified methodss with whatever is configured in that block. (Apache also has a 'LIMIT' setting, which works the other way around... But we avoid using that in our sample configurations as we originally assumed that we may use other methods in future versions) A checkout with Subversion 1.8 or later against an 1.8+ server will usually include at least the GET, OPTIONS and REPORT methods. Older versions of Subversion and nonstandard configurations may avoid the GET and/or may use PROPFIND. To configure your repository in your intended way I know of two common configurations: 1. Configure the repository to be available anonymously with the standard LIMITEXCEPT, which I think needs to include more operations than that in your setting. This setting should be applied on the repository root, not the trunk subdirectory. The authz file can then configure specific settings on all subdirectories. This configuration has some known limitations when hiding subdirectories below a visible root... But it is the easiest way to expose full repositories read-only. 2. Create a default guest user (e.g. 'guest' and a blank password) This requires everybody to login, so everything can be handled by the authz file. Products like CollabNet SvnEdge use this configuration to avoid that problem I just described with hiding subdirectories for specific users. In your case I think you want to change your httpd.conf block to apply to the repository root to make it include the private urls, and add the now missing methods to the LimitExcept. The authz setting will then handle your other configuration settings. Thanks / Met vriendelijke groeten, Bert Huijben > > What I have is a private repo with a public subtree (trunk) : > > [project.mirmon:/] > penni101 = rw > # anonymous read not allowed > * = > [project.mirmon:/trunk] > penni101 = rw > # anonymous read allowed > * = r > > An 'anonymous' user can browse (svn ls, svn cat) > but not checkout (svn co), because the checkout > does a (note the '!') : > > PROPFIND /repos/project.mirmon/!svn/rvr/64/trunk > > > The other option is to set two separate <Location> blocks, one for > > anonymous users (that excludes everything-but-trunk unconditionally) and > > one for authenticated users (that requires authentication for all > > operations). > > Do you mean : use 2 AuthzSVNAccessFile's ? > > > Daniel > > Thanks ; regards, > > Henk Penning > > ------------------------------------------------------------ _ > Henk P. Penning, ICT-beta R Uithof HFG-406 _/ \_ > Faculty of Science, Utrecht University T +31 30 253 4106 / \_/ \ > Budapestlaan 6, 3584CD Utrecht, NL F +31 30 253 4553 \_/ \_/ > http://www.staff.science.uu.nl/~penni101/ M penn...@uu.nl \_/