ansaurus

Question

Answer 1

+6 A:

1 - You can use the pre-commit hook to prevent commits, see SVN pre-commit hook for avoiding changes to tags subdirectories.

Edit: To do this on Windows, try the following:

Save this as a file named pre-commit.bat in the hooks folder of your repo:

@echo off
set REPOSITORY=%1
echo %REPOSITORY% | find /I "tags"
if errorlevel 1 goto done
echo You tried to commit to %REPOSITORY% >&2
echo Committing to tags is not allowed >&2
exit 1
:done

Note, this will prevent commiting to any repository path that contains the substring tags. Modify according to your needs.

RedFilter 2009-05-19 18:41:55

Is there a way to do this on windows?

John Gietzen 2009-05-19 18:49:03

Hooks are on the server side, so it can be done with a compiled app, shell script, command file, etc. that is native to the host platform.

crashmstr 2009-05-19 18:52:33

so, i've been googling around for a .bat pre-commit script and almost all of them call a Perl script. I don't thik i can get permission to install perl on this server, so do you know of a pure .bat version?

John Gietzen 2009-05-19 18:56:17

Edited my answer to include a .bat example.

RedFilter 2009-05-19 19:58:29

I'm +1 here, even though I'm pretty sure your script won't work. Specifically, you need to use the SVNLOOK utility to detect changes, rather then just checking against the Repository name. I posted my code as an answer.

John Gietzen 2009-05-19 20:08:38

Yes, you are almost certainly right - this is untested code from memory, am not able to test against a repo right now. Use svnlook to get the proper working path. Do you need help with that? The primary intent of my code was to show how to do substring search and return correct errorlevel.

RedFilter 2009-05-19 21:26:44

Oh, I see by your example you have the svnlook covered.

RedFilter 2009-05-19 21:28:18

Answer 2

+2 A:

There's no "proper" way. Tags are a convention and developers should learn and follow it. Barring that, a fail-safe can be implemented using Subversion hooks. See this page for a nice tutorial.

ASk 2009-05-19 18:43:24

Answer 3

+1 A:

This seems to me to be a matter of education and process. If your developers understand the purpose of your SVN tags, it seems a lot less likely that you'll have people (intentionally) doing commits to a tag. What I found to be indispensable to communicating these processes effectively is up to date, written documentation. My team uses a wiki to store documentation about our processes (specifically, we use MediaWiki). The wiki approach seems to make things a lot more accessible and easier to keep up to date than something like storing versioned MS Office documents in sharepoint.

Paul Morie 2009-05-19 18:49:37

I am one of the developers, and I would actually rather have this implemented as a hard-and-fast rule.

John Gietzen 2009-05-19 18:57:53

Fair enough. Can I ask why? Obviously, accidents happen, and that's one use-case where a hard-and-fast rule is useful. Is that why you want it?

Paul Morie 2009-05-19 19:05:15

Yes. And there may be some of my peers that I don't trust to understand the policy.

John Gietzen 2009-05-19 19:06:53

That's rough. I'm a believe that everyone with commit access is in a highly trusted position. Perhaps you should talk to your management if you can't trust someone to follow a pretty basic process. After all, if you can't even trust them to check their code into the right place, what does that say about the quality of their work?

Paul Morie 2009-05-19 19:29:22

There happen to be a lot of politics around this. Normally I would agree with you, but I don't want to be a martyr.

John Gietzen 2009-05-19 19:45:13

I have a pretty good idea of what you're talking about. That said, if the commits from these individuals starting failing, it might give Them stabble-stabble points on you for that.Good luck!

Paul Morie 2009-05-19 20:04:05

Thanks! Anyways, since this is a fresh install, I don't think they will know that it was a modification rather than a part of the product.

John Gietzen 2009-05-19 20:18:27

Answer 4

+2 A:

For Question #1, I developed for this:

@echo off
SET SVNLOOK=C:\Program Files\CollabNet Subversion Server\svnlook.exe
SET GREP=D:\SVN\Repo\hooks\grep.exe
SET LOG=D:\SVN\Repo Logs.txt

>>"%LOG%" echo ==== commit %1 %2 ====
>>"%LOG%" "%svnlook%" changed -t %2 %1

("%svnlook%" changed -t %2 %1 | "%grep%" "^U.*/tags/") && (echo Cannot commit to tags.>&2 && exit 1)
("%svnlook%" log -t %2 %1 | "%grep%" "[a-zA-Z0-9]") || (echo You must specify a comment.>&2 && exit 1)

exit 0

Grabbed the grep tool from http://sourceforge.net/projects/unxutils

For Question #2, the answer is NO, you cannot check against AD security groups in the AuthZ config file.

Thanks for your help, everyone.

John Gietzen 2009-05-19 20:07:26

I am pretty sure you could use the native findstr instead of grep...

RedFilter 2009-05-19 21:32:58

Thanks, I'll look in to that.

John Gietzen 2009-05-20 13:54:43

this is cool windows scripting ;) question: in your script I can ADD new files to tags.. do you know a solution to avoid this(I am searching for such a solution)?

Peter Parker 2009-05-20 13:59:30

Yes, you can copy the first line that contains the "(%svnlook%" text, and change the "^U.*" to "^A.*" However, be warned that you will be entirely unable to add new files to any directory named "tags."

John Gietzen 2009-05-20 14:07:18

Answer 5

A:

How about using the svn-auth file to define that? this would look like that:

[groups]
ADMINS=<your ID>
<rest of groups>=<all other IDs>

[/]
* = r
<rest of groups> = rw
@ADMINS = rw

[/tags]
<rest of groups> = r

This will allow the ADMINS read-write access to the tags directory, but no one else. I do not know the SSPI auth plugin, so perhaps my provided example does not work in your context.

mliebelt 2010-01-14 08:33:19

ansaurus

tags:

views:

answers:

Subversion Tagging and Security

related questions