View Log Problems When Using Path Based Authentication

[John Conrad]

I have a repository that I have configured to use path based permissions
via svnserve (additional config info below). Any user that has
authenticated has full read/write access to the entire repository while
anonymous users have read only access to a single path in the repository,
all other paths forbidden. These permissions appear to be working
correctly, everyone can update, check out, and commit what is expected.

The PROBLEM occurs when I try to view the log of a path inside the
restricted area accessible only to authenticated users. With authentication
cache cleared, executing an 'svn ls' correctly challenges you for
credentials while 'svn log' produces the "svn: Item is not readable" error
message. This makes it impossible to retrieve a log for these areas of
the repository. These are the specific commands I have used:

svn ls svn://myserver/restricted<-- works
svn log svn://myserver/restricted   <-- fails

If the authentication cache is populated when I execute 'svn log' I get the
same error. If I manually specify the username and password for the
'svn log' command I get the same error.

My configuration files are listed below and I am running SVN 1.6.12 with
a fsfs database. Anyone have any idea what is going on here? Do I have
something misconfigured? I feel like I may have found a bug. Thanks in
advance.

-- John

svnserve.conf:

[general]
password-db = passwd
authz-db = authz

authz:

[/]
$anonymous =
$authenticated = rw

[/api]
$anonymous = r

Combining public and private paths

[John Conrad]

For what it's worth, I have run into the same problem and the only
solution I have found is to switch to a different access method. As
best as I can tell svnserve is simply not an option when trying to set
up a repository with path based authentication when select areas are
flagged inaccessible to anonymous users. I have recently switched from
a svnserve to apache based setup and using the exact same authz-db
file, svnserve failed to return "svn log" results for protected paths
while apache worked correctly.

The below issue on the SVN tracker I think refers to this issue and it
has been open since Oct. 2009:
http://subversion.tigris.org/issues/show_bug.cgi?id=3516

Anyway, I could be totally wrong here, but I do not think what you
want to do is possible with svnserve. I hope I am mistaken, but if
not, sorry to be the bearer of bad news.

On Thu, Feb 10, 2011 at 9:30 PM, Victor Sudakov
 wrote:
> The problem is probably in the following. When anon-access is other
> than "none", svnserve does not request authentication for some
> important operations like "svn log", and I have found no way to force
> it to request authentication. This effectively breaks path based
> authorization.
>
> I have found some tricky solutions for the http access method (like
> defining two aliases for the same repository), but none for the
> svnserve method. Any help?
>
> Victor Sudakov wrote:
>>
>> I am trying to setup the following policy: a private repository with
>> some public paths. Is such configuration supported at all?
>>
>> The following configuration:
>>
>> == conf/svnserve.conf:
>> anon-access = read
>> auth-access = write
>> authz-db = authz
>>
>> == conf/authz:
>> [/]
>> @noc = rw
>>
>> [/foo]
>> $anonymous = r
>> $authenticated = rw
>>
>> does not work. A valid user from the noc group receives the following reply:
>>
>> $ svn diff -c2237 www.txt
>> svn: Unreadable path encountered; access denied
>>
>> If I change "anon-access = read" to "anon-access = none", it begins to
>> work for the valid user, but there is no anonymous access to anyone
>> even to svn://myserver/foo despite the "$anonymous = r" clause.
>>
>> What am I doing wrong?
>>
>> --
>> Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
>> sip:suda...@sibptus.tomsk.ru
>
> --
> Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
> sip:suda...@sibptus.tomsk.ru
>