Re: Authz on Collection of Repositories

Wed, 16 Jan 2013 12:08:28 -0800 

On 16 jan 2013, at 20:44, C. Michael Pilato wrote:

> On 01/16/2013 02:27 PM, Thomas Åkesson wrote:
>> 
>> On 16 jan 2013, at 20:15, C. Michael Pilato wrote:
>> 
>>> On 01/16/2013 01:54 PM, Thomas Åkesson wrote:
>>>> Hi Ivan,
>>>> 
>>>> I committed to drafting some change notes for this change quite some time
>>>> ago.
>>>> 
>>>> - Below is a draft of a section to include in Release Notes. I suggest
>>>> just after "In repository authz". - Patch contains line for CHANGES -
>>>> Patch contains clarification and new example for mod_authz_svn INSTALL
>>>> file.
>>>> 
>>>> Hope I got the patch right.
>>> 
>>> Thanks, Thomas.  I like the release notes, and will incorporate them in just
>>> a few minutes.
>> 
>> Good.
> 
> Actually, I have a quick question for you.  Your release notes say:
> 
> {{{
> The access to "Collection of Repositories" is not restricted by
> mod_authz_svn. In order to require authentication on this location, the
> location should have "Satisfy All" (default). See examples in INSTALL for
> mod_authz_svn for additional details.
> }}}

Hmm, yes... complicated.

> 
> I *think* I understood what meant in calling out that this is "not
> restricted by mod_authz_svn",

Since Subversion 1.7, mod_authz_svn always returns OK for CoR, regardless 
what's in the authz file. Before 1.6 it was possible to control access to CoR 
with [/] section.

So, if the CoR should not be anonymously accessible, we must do Satisfy All + 
Require valid-user.

> and wordsmithed that section to read like this
> instead:
> 
> {{{
> NOTE: Access to "Collection of Repositories" is not restricted by
> mod_authz_svn, but is instead managed by mod_dav_svn itself. In order to
> require authentication on this location, the location should have "Satisfy
> All" (which is the default value of this directive). See examples in
> mod_authz_svn's INSTALL document for additional details.
> }}
> 
> Is this still accurate?

I think you have improved this complicated piece. 

> but is instead managed by mod_dav_svn itself


Is it technically managed by mod_dav_svn? Or is it... Apache core? Probably 
doesn't matter.


Btw, I tried to convey the difficulty of combining Anonymous and authenticated 
access (you wrote about that long ago) in the Note under Example 2. Hope you 
find that description accurate.

/Thomas Å.

Reply via email to