SVN - User directory permissions

2020-06-23 07:11发布

问题:

I'm using SVN (CollabNet Subversion Edge) and Tortoise SVN to manage a website being edited by multiple people.

I'd like to limit access by some users to some directories (to prevent them seeing database credentials etc). They only require read access to one directory.

Is it possible to do this in SVN?

Thanks!

Edit

They are running a mix of XP and Windows 7. The server is on Windows 2008. The protocol being used is http.

回答1:

This can be achieved by using the svnaccess.conf file. Assuming you use windows domain authentication, here is one way to provide folder-level access to windows users. (a sample section of the svnaccess.conf file)

[repo:/trunk/samplefolder]

*=

@repo_restricted_users = r

@repo_super_users = rw

Here, repo_restricted_users and repo_super_users are user groups which must be defined earlier in the svnaccess.conf file - thus:

repo_restricted_users = john.doe, tom.riddle

repo_super_users = harry.potter, lord.voldemort

This will provide read access to just the folder samplefolder within the repository while keeping other folders closed. Hope this helps.



回答2:

The SVN book as linked by Mike gives you a good overview over the authentication methods available.

If you are on Windows and don't mind switching the SVN server, VisualSVN Server is a free svn/Apache wrapper that can be installed within minutes, and provides brain-dead easy point-and-click user/access management. I've been using it for years and I love it.



回答3:

You can do what you want in a platform independent way by writing what is called a pre-commit hook. You can read more about hooks in the svn book. Basically, you will be given the user name and the directory location of the updates, and have the ability to decide whether or not to accept the transaction.

A good example of this is found on this site. Basically, you will want to use the script commit-access-control.pl, which is packaged with subversion, to perform the permission check for you. All you have to do is write a simple configuration file which describe where people can write and read.

If you happen to be using http with apache, then you can use the authz_svn apache module describe here in the book.



回答4:

If they need a single directory, I think easiest would be to create a second / other repository for that, and including it with svn:externals in the 'main' project (which will still make svn update also fetch updates from the other repository etc.).