Subversion Tagging and Security

Question

I have set up an SVN repository from scratch, and I have successfully tagged some of my releases using the SVN copy command.

I used the SSPI auth plugin for apache, so our developers just hit the server with their network credentials, and everything works nicely.

I have created an AuthZ authorization file, added our developers to groups in the file, and have granted them write access to the root. I also have granted anonymous users read-only access to the root.

I then locked down the /svn/ directory with: Require-group "CORP\CKAN0BlahBlah"

This effectively limits new developers in the security group to read-only access until they are granted access through the aAuthZ config file.

Now, I have a couple of questions:

1. What is the proper way (other than the honor system) to prevent users from commiting changes to any of the "tags" directories?

2. Is it possible to use SSPI to pass the members of the groups to AuthZ, rather than listing the members individually in the configuration file?

Answer 1

1 - You can use the pre-commit hook to prevent commits, see SVN pre-commit hook for avoiding changes to tags subdirectories.

Edit: To do this on Windows, try the following:

Save this as a file named pre-commit.bat in the hooks folder of your repo:

@echo off
set REPOSITORY=%1
echo %REPOSITORY% | find /I "tags"
if errorlevel 1 goto done
echo You tried to commit to %REPOSITORY% >&2
echo Committing to tags is not allowed >&2
exit 1
:done

Note, this will prevent commiting to any repository path that contains the substring tags. Modify according to your needs.

Answer 2

For Question #1, I developed for this:

@echo off
SET SVNLOOK=C:\Program Files\CollabNet Subversion Server\svnlook.exe
SET GREP=D:\SVN\Repo\hooks\grep.exe
SET LOG=D:\SVN\Repo Logs.txt

>>"%LOG%" echo ==== commit %1 %2 ====
>>"%LOG%" "%svnlook%" changed -t %2 %1

("%svnlook%" changed -t %2 %1 | "%grep%" "^U.*/tags/") && (echo Cannot commit to tags.>&2 && exit 1)
("%svnlook%" log -t %2 %1 | "%grep%" "[a-zA-Z0-9]") || (echo You must specify a comment.>&2 && exit 1)

exit 0

Grabbed the grep tool from http://sourceforge.net/projects/unxutils

---

For Question #2, the answer is NO, you cannot check against AD security groups in the AuthZ config file.

Thanks for your help, everyone.