I have a subversion server for a client which uses a MySQL database to authenticate employees, and an AuthUserFile (htpasswd) to authenticate other users (vendors) into their repository.
I need to grant full access to the employees * = rw
and access to only a subtree for the vendors. (Something like this):
[/]
* = rw #employees
vendor_user =
[/sub-repo]
vendor_user = rw
Unfortunately the design of SVN auth seems to cascade * = rw
down to everything despite more restrictive rules like vendor_user =
If anyone has advice, I'll be deeply appreciative!
I don't think this is possible, but even if it were I can't say I'd recommend doing something like this. From a security standpoint, it's extremely dangerous to grant blanket read/write access and then selectively remove permissions. For instance, what if you forget to remove permissions from a newly added vendor?
Perhaps you could define an "employees" group:
[groups]
employees = user1,user2,user3
Then you can just go:
[/]
@employees = rw
vendor_user =
Also: It would probably be advisable to write a script to generate/maintain the list. Since all the users are listed in the database, you could have a script query the database and generate a new access list as needed.