Sventon (unlike TortoiseSVN) requires read privileges to SVN repo root
Armin Resch
Hi there,
I noticed today that - when User is selected under Authentication method - sventon requires this user to have read access to the repository root in order for him to browse any subfolder to which he user has permission
to read. However, TortoiseSVN
behaves differently. It does allow browsing / check-out of subfolders
without the requirement to be able to read the repo root.
It appears as though sventon won't use the information in the requested URL to check for read permissions for that particular path.
Thx much,
-ar
Jesper Hammarbäck
> Hi there,
Hi!
> I noticed today that - when User is selected under Authentication method -
> sventon requires this user to have read access to the repository root in
> order for him to browse any subfolder to which he user has permission
> to read. However, TortoiseSVN behaves differently. It does allow browsing /
> check-out of subfolders without the requirement to be able to read the repo
> root.
It's only the user used by the cache that needs read access to the
entire repository.
> It appears as though sventon won't use the information in the requested URL
> to check for read permissions for that particular path.
It should be fine to configure a user to have access rights only to a
sub folder, like this:
[/]
* =
[/myproject]
@project_members = r
When accessing sventon the following URL would be denied (and cause
the login screen to reappear)
http://localhost:9999/svn/repos/code/list/
However, the following would be ok for users in the "project_members" group:
http://localhost:9999/svn/repos/code/list/myproject/
Regards
Jesper
> Thx much,
> -ar
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "sventon support" group.
> To post to this group, send email to sventon...@googlegroups.com.
> To unsubscribe from this group, send email to
> sventon-suppo...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/sventon-support?hl=en.
Armin Resch
have you actually tested this?
I just did with the configuration you proposed. I used an app account
with r perms to the repo root to setup the repo in sventon. Then,
configured the access of my own user account according to your
proposal below and I confirmed that I can 'svn up' a WC of a checked-
out subfolder, whereas checking out the root is denied. When I went
back to sventon to access https://svn.domain.net/sventon/repos/testrepo/list/myproject/
with my user credentials, I receive:
Authentication required for directory: myproject/
Authentication failed!
Thx much,
-ar
On Feb 14, 5:52 pm, Jesper Hammarbäck <jes...@sventon.org> wrote:
> 2012/2/10 Armin Resch <resc...@gmail.com>:
> > Hi there,
>
> Hi!
>
> > I noticed today that - when User is selected under Authentication method -
> > sventon requires this user to have read access to the repository root in
> > order for him to browse any subfolder to which he user has permission
> > to read. However, TortoiseSVN behaves differently. It does allow browsing /
> > check-out of subfolders without the requirement to be able to read the repo
> > root.
>
> It's only the user used by the cache that needs read access to the
> entire repository.
>
> > It appears as though sventon won't use the information in the requested URL
> > to check for read permissions for that particular path.
>
> It should be fine to configure a user to have access rights only to a
> sub folder, like this:
>
> [/]
> * =
>
> [/myproject]
> @project_members = r
>
> When accessing sventon the following URL would be denied (and cause
> However, the following would be ok for users in the "project_members" group:http://localhost:9999/svn/repos/code/list/myproject/
>
> Regards
> Jesper
>
>
>
> > Thx much,
> > -ar
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "sventon support" group.
> > To post to this group, send email to sventon...@googlegroups.com.
> > To unsubscribe from this group, send email to
> > sventon-suppo...@googlegroups.com.
> > For more options, visit this group at
>
> - Show quoted text -
Jesper Hammarbäck
> Hi Jesper,
>
> have you actually tested this?
Yes, indeed!
The following config works for me:
File: "svnserve.conf"
[general]
realm = test repo
anon-access = none
auth-access = write
password-db = passwd
authz-db = authz
File: "passwd"
[users]
superuser = superuser
restricteduser = restricteduser
File: "authz"
[/]
superuser = rw
restricteduser =
[/myproject]
restricteduser = r
File: "sventon.properties"
enableAccessControl=true
userName=
userPassword=
useCache=true
cacheUserName=superuser
cacheUserPassword=superuser
repositoryRootUrl=svn\://localhost/test
rssTemplateFile=/rsstemplate.html
allowZipDownloads=true
mailTemplateFile=/mailtemplate.html
enableEntryTray=true
repositoryDisplayRootUrl=svn\://localhost/test
enableIssueTrackerIntegration=false
rssItemsCount=20
-----
Regards
Jesper
Armin Resch
Aha, you're using svnserve. I'm using https (ldap credentials!). Can
you retest with http, perhaps? Apache is required for me to monitor
access and frequency thereof.
Cheers and thx,
-ar
On Feb 16, 2:13 pm, Jesper Hammarbäck <jes...@sventon.org> wrote:
> 2012/2/16 Armin Resch <resc...@gmail.com>:
> >> - Show quoted text -
>
> > --
> > You received this message because you are subscribed to the Google Groups "sventon support" group.
> > To post to this group, send email to sventon...@googlegroups.com.
> > To unsubscribe from this group, send email to sventon-suppo...@googlegroups.com.
Armin Resch
Do you have any update for me, such as whether you're still
investigating?
Thx much,
-ar
> > >> - Show quoted text -
>
> > > --
> > > You received this message because you are subscribed to the Google Groups "sventon support" group.
> > > To post to this group, send email to sventon...@googlegroups.com.
> > > To unsubscribe from this group, send email to sventon-suppo...@googlegroups.com.
>
> > - Show quoted text -- Hide quoted text -
Jesper Hammarbäck
> Hi Jesper,
>
> Do you have any update for me, such as whether you're still
> investigating?
Hi!
I can confirm that the HTTP implementation behaves differently!
We need to do some changes in the code to handle this case and I'm
afraid I cannot promise you that we will have time to do this in the
near future.
Armin Resch
Darn, I was hoping it would be as straightforward as updating the
Svnkit version.
Ok, so I won't hold my breath. But you're not saying it's impossible
(which I wouldn't have expected since there ARE clients that can do it
over http). How would I learn that this feature is about to be
tackled? Can I help in any way?
Thx,
-ar
On Feb 20, 3:38 pm, Jesper Hammarbäck <jes...@sventon.org> wrote:
> >> > >> - Show quoted text -
>
> >> > > --
> >> > > You received this message because you are subscribed to the Google Groups "sventon support" group.
> >> > > To post to this group, send email to sventon...@googlegroups.com.
> >> > > To unsubscribe from this group, send email to sventon-suppo...@googlegroups.com.
> >> > - Show quoted text -- Hide quoted text -
>
> >> - Show quoted text -
>
> > --
> > You received this message because you are subscribed to the Google Groups "sventon support" group.
> > To post to this group, send email to sventon...@googlegroups.com.
> > To unsubscribe from this group, send email to sventon-suppo...@googlegroups.com.