How do I prevent a subversion user accessing part of the repository?

Question

I'm using a Subversion repository hosted on Dreamhost for a project.

I would like to allow access to some users on a restricted basis. At the very least I would like to allow read-only access to some users, but ideally I would like to prevent some users seeing some parts of repository at all. I can't find user permissions mentioned in the web docs for Subversion though I assume it is there?

I'm used to using Perforce, so what I want is what p4 protect does for Perforce.

Thanks.

Answer 1

If you are using SVN and Apache together , follow the following procedure :

Be aware that the finest permission level you can manage will be on a per repository basis. Assume you have repository1 and repository2

1- Make appropriate user(s) for each repository in a separate file :

sudo htpasswd -c -m /etc/apache2/dav_svn_REPOSITORY1.passwd $user_name_for_repository1
 sudo htpasswd -c -m /etc/apache2/dav_svn_REPOSITORY2.passwd $user_name_for_repository2

If you want to add more users to each file, remove the -c from the command. because it is just for creating the file for the first time.

2- Edit the following file :

nano /etc/apache2/mods-available/dav_svn.conf

you will have a section like this :

<Location /svn>
  SVNPath $your svn repository path
  AuthType Basic
  AuthName "Subversion Repository"
  AuthUserFile /etc/apache2/dav_svn.passwd
  Require valid-user
  SSLRequireSSL
</Location>

Copy this block for each repository you have , in our case you need one more block like this . Now, get rid of (delete) the above block and add the following block which are altered copies of the above one :

<Location /svn/repository1>
  SVNPath $your svn repository1 path
  AuthType Basic
  AuthName "Subversion Repository"
  AuthUserFile /etc/apache2/dav_svn_REPOSITORY1.passwd
  Require valid-user
  SSLRequireSSL
</Location>
<Location /svn/repository2>
  SVNPath $your svn repository2 path
  AuthType Basic
  AuthName "Subversion Repository"
  AuthUserFile /etc/apache2/dav_svn_REPOSITORY2.passwd
  Require valid-user
  SSLRequireSSL
</Location>

3- Save the file and restart the Apache.

Answer 2

I'm not familiar with the specific configuration Dreamhost uses, but the typical way of enforcing permissions is to use the Apache authentication mechanisms. Here's the relevant page from the Subversion documentation.

Answer 3

See the accepted answer above. However, for Dreamhost specifics, in ~/svn directory there are two files for each repository repo_name.access and repo_name.passwd. Where repo_name is the name you gave your repository. You can edit the repo_name.access file as described in the accepted answer.

Don't forget to chmod 644 repo_name.access after you edit it so that apache can access it.

Answer 4

Have a look at the authz file in the conf/ directory. You can set permissions for specific users and specific directories. In svnserve.conf you can specify if anonymous users have read access or not.

Here's an example from a repository of mine:

[groups]
project1_team = dave, john, andy

[/]
* =
dave = rw

[/project1]
@project1_team = rw

[/project2]
andy = r

What's happening here is that I defined a group of users having full access to project1; dave (which happens to be me) has full access to the entire repository, while andy has read-only access to project2.

Answer 5

On web hosts, there's typically a configuration file (which can be named anything) to run the authorization. Each repository has a listing like
[my-repository:/]
myuser = rw

Which would give 'myuser' read & write permission on the entire repository. You could also do:

[my-repository/just-this-folder/:]
somejerk: r

Which should do what you want.

Answer 6

The Subversion Book has your answer right here.

Seriously, people: when has it come out of fashion to read even the most basic documentation before pestering other people?