Restrict access to an SVN repo to members of one group

Question

I have a few dozen SVN repos that must be accessible to all users, and a single repo that needs to be restricted to just one group. I've tried setting up my .svnaccess file like so:

[groups] special = alice,bob [/] * = rw [RestrictedRepo:/] * = @special = rw 

However, this results in even alice and bob being unable to access RestrictedRepo. If I use ~@special = instead of * =, then I end up with all users having access. Moving the * = to the last line does not change anything.

Is there any way I can do this without setting root permissions to nothing and giving explicit access to all non-group members on each of my many other repos?

I'm running this on an older server with svn 1.5.1.

Answer 1

I tested the same configuration on my server and it works. Did you restart the svnserve service (assuming you're on a linux system) after editing your configuration ?

From this book about subversion, it says :

Another important fact is that group permissions are not overridden by individual user permissions. Rather, the combination of all matching permissions is granted. [...] Permissions for group members can only be extended beyond the permissions the group already has. Restricting users who are part of a group to less than their group's permissions is impossible.

For me your configuration is correct, alice and bob should have access to the RestrictedRepo.

Answer 2

My problem was that the apache config contained these lines:

<LimitExcept GET PROPFIND OPTIONS REPORT> Require valid-user </LimitExcept> 

This allows unauthenticated access to the server for all read operations. It appears I will need to either require login for all reads (by removing the LimitExcept specifier around the Require) or implement something like what's described at http://svnbook.red-bean.com/nightly/en/svn.serverconfig.httpd.html#svn.serverconfig.httpd.authz.perdir to get mixed authenticated and anonymous access.