I have apache subversion 1.7.14 hosted on CentOS 7.4 and am having trouble getting path based authorization such that a restricted group to a specific branch, can navigate to the branch from the apache web server.
The example structure is:
/svn/repo/projA
/svn/repo/projA/trunk
/svn/repo/projA/branches
/svn/repo/projA/branches/branch1
/svn/repo/projA/branches/branch2
/svn/repo/projB
/svn/repo/projC
I have a couple groups of users, for example:
[groups]
svn-group1 = ...
svn-group2 = ...
My goal is to have svn-group2 restricted to /svn/repo/projA/branches/branch1 explicitly and not have any access to any other branch, such as:
[/]
* =
@svn-group1 = rw
[repo:/projA/branches/branch1]
@svn-group2 = rw
However when navigation to https://svn.example.com/repo/projA the svn-group2 users will get a Forbidden error. Only if they go to the full URL https://svn.example.com/repo/projA/branches/branch1 do they get access. Ideally I would like svn-group2 to see all parent leaves up to the root directory so they "know" what they have access to from https://svn.example.com.
I can get the right behavior by explicitly excluding every sibling leaf:
[/]
* =
@svn-group1 = rw
[repo:/projA/branches/branch1]
@svn-group2 = rw
[repo:/projA]
@svn-group2 = r
[repo:/projA/trunk]
@svn-group2 =
[repo:/projA/branches/branch2]
@svn-group2 =
[repo:/projB]
@svn-group2 =
[repo:/projC]
@svn-group2 =
This even has the benefit of the user not even seeing links to projB and projC from https://svn.example.com/repo. Only projA would be seen, followed by only branches, followed by only branch1.
However, this doesn't guarantee that svn-group2 would only see branch1. I would like to guarantee if svn-group1 creates some new branch that svn-group2 would not see this by default.
I have found some hints of a :glob: rule with some wildcard functionality but I have not been able to get it to work. I could imagine something like below, where the wildcards are excluding sibling branches.
[:glob:repo:/]
@svn-group2 = r
[:glob:repo:/*/]
@svn-group2 =
[repo:/projA]
@svn-group2 = r
[:glob:repo:/projA/*/]
@svn-group2 =
[repo:/projA/branches/]
@svn-group2 = r
[:glob:repo:/projA/branches/*/]
@svn-group2 =
[repo:/projA/branches/branch1]
@svn-group2 = rw
Thanks!
Okay so there's a couple things I'll try to clarify for you.
The first
* =is not necessary. You only need to specify forbidden accessors when there is a parent directory that they have access to.I can see the train of thought you were going with this, unfortunately it's not possible unless, as you said, explicitly forbid them access in every sub-directory created. The moment you gave group 2 read access to the base URL of projA, they will inherently have read access to any new sub-directories you've created which will means any new branches/tags you make, they will see until you update the authz file to do so.
I haven't tried the wildcard stuff yet, and I don't have access to my server at the moment, but when I get home, I might be able to test that out for a more convenient way of doing this.