Fine-grained permissions on SVN Repository

Question

Hello,

I'm trying to setup a SVN repo for a whole bunch of users. Different users need to have different levels of access to areas of the repository. A trivial example might be that frontend engineers need access to the "view" and "controllers" but not "model", while backend engineers need access to the "controllers" and "model" but not "view".

It needs to be one repository, because (as far as I know) that's the only way to ensure that commits touching multiple modules are atomic.

Is there a fine-grained way to control user access to a repository?

Thanks!

Answer 1

Yes, you can use path-based authorization in SVN, but I would highly discourage it.

For one thing, it has a big impact on performance of your repository when you turn it on. Secondly, just because front-end developers only "need" access to views and controllers, what happens in a feature they're working on requires changes to the model? Either they make the change themselves and commit it with their updates, or they ask a "model" developer to do it and it takes an extra day to organise everything.

As long as you've got code reviews in place, there's really no point for the extra hoops.

Even if you don't have code reviews, commit history will be able to tell who made a change to what part of the code. If you really don't trust you front-end developers not to step on other people's toes without some moderation, then do you really trust them to do anything at all?

Answer 2

You can use path-based authorization. You define the Read or Write permissions for each path in a file; permissions are inherited.

For example, using groups ( @groupname ):

# Everyone get read access
[/prj1/trunk]
@backend = R
@frontend = R

#Specific rights
[/prj1/trunk/model]
@backend = RW

[/prj1/trunk/controllers]
@backend = RW
@frontend = RW

[/prj1/trunk/view]
@frontend = RW

You reference this file from svnserve.conf or httpd.conf. ( For a full description see the reference in the previous answer. )