1

I have an SVN server with 3 repositories on it. (A, B and C). I am trying to restrict a user (in this example MrX) to have full access to repository B but no access at all to repository A or C (preferred not even see it). I have read the postings and thought i had it correct but when I log in as JJ I can still see all of repository A and C. What am I doing incorrect.

Below is the settings I have for the repositories. Note I would like everyone else to have all read write permissions to A and C repository.

If it matters, I am using CollabNet SubversionEdge on a Windows Server with normal users (not LDAP authentication)

[A:/]
*=rw
MrX =

[B:/]
MrX =rw


[C:/]
*=rw
MrX =
jvoigt
  • 400
  • 4
  • 23
  • I have tried your setup, and it indeed does not work as you want. My guess is that the answer is here: http://svnbook.red-bean.com/en/1.8/svn.serverconfig.pathbasedauthz.html#svn.serverconfig.pathbasedauthz.groups. Another important fact is that **group permissions are not overridden by individual user permissions**. Rather, the combination of all matching permissions is granted. ... Permissions for group members can only be extended beyond the permissions the group already has. Restricting users who are part of a group to less than their group's permissions is impossible. – Ivan Jovović May 08 '15 at 16:32
  • Yes, Thanks. I assumed the answer was in there too (in the SVN book) but have not found one. So are you saying that because the * at the base directory is there, I can not block the user? If not, I am open to any work around or suggestion. – jvoigt May 11 '15 at 12:44
  • http://svnbook.red-bean.com/en/1.8/svn.serverconfig.pathbasedauthz.html: *The thing to remember is that the most specific path always matches first. The server tries to match the path itself, and then the parent of the path, then the parent of that, and so on. The net effect is that mentioning a specific path in the access file will always override any permissions inherited from parent directories.* That means you can allow everyone *rw* on root path, but you can *disallow MrX on trunk*, as it is more speciffic path than root. It would be something like this: `[/] *=rw` and `[/trunk] MrX=`. – Ivan Jovović May 12 '15 at 07:34

1 Answers1

2

I have a similar situation, the only difference being that I'm not targeting a single user, but a @usergroup instead.

For me the following setup works:

[/]
~MrX = rw

[A:/]

[B:/]
MrX = rw

[C:/]

What I'm doing here is assigning by default RW access to everyone for every repo, except MrX. MrX then has RW access to repo B only.

Joao Baltazar
  • 566
  • 9
  • 14