Subversion Authz - Full Access to all except one

Question

I have a subversion server for a client which uses a MySQL database to authenticate employees, and an AuthUserFile (htpasswd) to authenticate other users (vendors) into their repository.

I need to grant full access to the employees * = rw and access to only a subtree for the vendors. (Something like this):

[/]
* = rw   #employees
vendor_user = 

[/sub-repo]
vendor_user = rw

Unfortunately the design of SVN auth seems to cascade * = rw down to everything despite more restrictive rules like vendor_user =

If anyone has advice, I'll be deeply appreciative!

Answer 1

I don't think this is possible, but even if it were I can't say I'd recommend doing something like this. From a security standpoint, it's extremely dangerous to grant blanket read/write access and then selectively remove permissions. For instance, what if you forget to remove permissions from a newly added vendor?

Perhaps you could define an "employees" group:

[groups]
employees = user1,user2,user3

Then you can just go:

[/]
@employees = rw
vendor_user =

Also: It would probably be advisable to write a script to generate/maintain the list. Since all the users are listed in the database, you could have a script query the database and generate a new access list as needed.

Answer 2

Groups are definitely the way to go but you still have a problem. If your user is prevented from seeing the root folder they wont be able to get to the sub-folder you want them to see.

For this reason I structure the repo with a minimum of meaningful folders at the top level eg:

trunk/
    client/
    services/
    api/

Then set up the permissions using blanket read access ie:

[groups]
core = user1, user2, user3
client = user4

[repo:/]
* = r

[repo:/trunk/client]
@core = rw
@client = rw

[repo:/trunk/services]
@core = rw
@client =

[repo:/trunk/api]
@core = rw
@client = r

Jared is correct that this has its risks and you need to be careful to ensure your users don't drop files anywhere they shouldn't (obliterating files is a pain hence my using read only for core users too in general) but as long as you set up the repo carefuly (for example mirroring the trunk top level structure under the branches to keep the authz file simple), this is an effective way of doing the job.