I've followed the subversion book countless times to try and set proper path authorization on our subversion server, but I haven't been able to make this work. Here is my access rules file :
[groups]
sales-admin = alexa, miked, chrism
[/]
$authenticated = rw
[Product_Sales:/]
~@sales-admin =
What this should do is give all authenticated users access to every repository hosted on this server, but restrict read and write access of the Product_Sales repository to the sales-admin group. However, this is not the case in practice, none of my permissions are working properly. Here is what happens in each use case:
-
When I try to update, commit, or checkout from any other repository, I get an "Access is Forbidden" error, and am given no option to authenticate even after clearing my saved credentials from TortoiseSVN.
-
The $authenticated token doesn't work. If I replace "$authenticated = rw" with "* = rw", I regain access again but am no longer asked to log in even though I have not supplied any credentials. Trying to commit does forces me to log in, but I need authentication to always occur when interacting with a repository, including on read-only operations.
-
Setting permissions on the Product_Sales repository doesn't give me access to Product_Sales at all, even if I have * = rw set on the root of the server.
I need to know what is wrong with my access rules. I've tried several times to make path based authorization work over the past few years, but to no avail. If anybody can give me a hand here, I would really appreciate it. I just want to know what I'm misunderstanding about path based authentication explanation in the Subversion Book.
http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html
EDIT: Here is my subversion server information
Collabnet Subversion Edge 3.2.2-3395.103
Subversion 1.7.8-3395.103
Best Answer
I have not definitive answer (yet), only some ideas
* = rw
means exactly "Everybody can read and write", everybody is "even anonymous". Do you have Apache-based or svnserve'd SVN-server? In case of Apache you have (must) restrict access to repository at the Apache layer, before path-based accessAnd, BTW, magic tokens are applicable for SVN 1.5+ (any chances to have older version?)
Update
The course of debugging
DAV svn
SVNListParentPath on
SVNParentPath ...
AuthName ...
AuthType Basic
AuthBasicProvider file
AuthUserFile ...
# AuthzSVNAccessFile ...
Require valid-user
in this config only users, listed in AuthUserFile can give full access to any repo, any part of repo
Add path-based checks, uncomment AuthzSVNAccessFile. Because with used config anonymous users will not have any access to any repo,
$authenticated
token becomes excessive, $authenticated == * in this restricted areaFor [Product_Sales:/] for rule "Only one group have access", I'll prefer bullet-proof, overloaded definition
[Product_Sales:/]
* =
@sales-admin = rw
I.e all access is explicitly disabled, only one group in the same explicit style enabled