I'm trying to configure permissions for an SVN repository accessed through Apache 2. What I want is to let anyone access the root directory, while restricting to authenticated users a child directory. Example:
/demo
/demo/project1
/demo/project1/sensitive-data # This path should require user authentication.
/demo/project2
At first, I thought this was as simple as:
<Location /demo>
DAV svn
SVNPath /home/svn/demo
AuthType Basic
AuthName demo
AuthUserFile /etc/subversion/passwd
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
</Location>
<Location /demo/project1/sensitive-data>
DAV svn
Require valid-user
</Location>
When used through HTTP (for example with CURL), Apache conforms to the configuration: I can access:
and I get, as expected, a HTTP 401 Unauthorized when trying to retrieve http://example.com/demo/project1/sensitive-data.
On the other hand, doing:
svn checkout http://example.com/demo/ .or:svn checkout http://example.com/demo/project1/ .
retrieves the whole directory tree, including demo/project1/sensitive-data.
At least, svn checkout http://example.com/demo/project1/sensitive-data/ . requests for a password.
How should I configure the permissions to restrict the access to sensitive-data directory when doing svn checkout http://example.com/demo/ .?
Best Answer
The
<Location /demo/project1/sensitive-data>block is irrelevant when doing a checkout: it is used only when accessing http://example.com/demo/project1/sensitive-data directly, which is the reason why HTTP requests result inHTTP 401 Unauthorizedand a checkout of this particular directory requires authentication.The proper way to configure path-based authorization is explained in Subversion documentation:
<Location /demo>points to an access file:The access file defines who can access the specific files and directories. Basic example: