svnauthz

Subversion Authz - Full Access to all except one


I have a subversion server for a client which uses a MySQL database to authenticate employees, and an AuthUserFile (htpasswd) to authenticate other users (vendors) into their repository.

I need to grant full access to the employees * = rw and access to only a subtree for the vendors. (Something like this):

[/]
* = rw   #employees
vendor_user = 

[/sub-repo]
vendor_user = rw

Unfortunately the design of SVN auth seems to cascade * = rw down to everything despite more restrictive rules like vendor_user =

If anyone has advice, I'll be deeply appreciative!


Solution

  • I don't think this is possible, but even if it were I can't say I'd recommend doing something like this. From a security standpoint, it's extremely dangerous to grant blanket read/write access and then selectively remove permissions. For instance, what if you forget to remove permissions from a newly added vendor?

    Perhaps you could define an "employees" group:

    [groups]
    employees = user1,user2,user3
    

    Then you can just go:

    [/]
    @employees = rw
    vendor_user =
    

    Also: It would probably be advisable to write a script to generate/maintain the list. Since all the users are listed in the database, you could have a script query the database and generate a new access list as needed.