Thursday, July 18, 2013

SVN Per-file Access Control

I had the need to impose per-file access control for several files in our repository.  Long story short was that some files were subject to designer modification and subsequently commiting those files would break the build.  I initially experimented with 'needs-lock' property, but with auto-get-lock functionality, it ended up causing more problems (and confusion) than it solved.

I looked around for examples of per-file access control and found little.  Most posts said it can't be done, one said it could be done through modification of the authz config file and provided an example which resulted in my entire repository being locked.  Unfortunately it didn't work and locked my entire repository.  Other solutions tended toward a hook, but I wasn't interested in that route as it appears too involved and requires access to the server, something which I don't necessarily have (depending on the project team and IT/admin).

After some trial and error I found something that does seem to work.  It is simple and only involves modifying the authz config file.  Remember, order is important, so place restrictions AFTER permissions.  The format is as follows:

[repo:/path/to/file.txt]
* = access-mode

where

 - path/to/file.txt is the full path to the repository, optionally prefixed with the repository name if needed
 - access-mode is the access desired, such as blank - no access; r - read-only; w - read-write
 - * applies to everyone, you can substitute or augment with user names or groups

Example:

# disallow write access to license.lic in the /trunk/source folder
[/trunk/source/license.lic]
* = r

Note: I found that it may take a few minutes after you have saved your authz config file for the changes to actually propagate to the svn server/service (probably dependent on operating system, etc.).  If you find that the change doesn't appear to work, wait a bit and/or restart the svn server.