Can you use wildcards in Subversion’s Path Based Authorization?
Subversion info: Collabnet Subversion Edge 3.2.2 SVN Version: 1.8.0 Apache HTTP Server 2.4.4 Using mod_authz_svn, no ldap What I'm trying to do is allocate access of a Subversion project to all developers on the team, but have certain directories that only certain developers should be given access to. Rather than create dozens of entries like so: @superdevs = trusteddev, projman @devs = @specdevs, user1, user2, user3 [/] * = rw [MyProj:/] ~@devs = [MyProj:/trunk/AllDevs/SuperDevsOnly] ~@superdevs = [MyProj:/trunk/ManyOtherDirs/SuperDevsOnly] ~@superdevs = # the list goes on and on... Is it possible to configure the path-based authorization file to define a file pattern instead of explicitly creating an entry for each restricted path? I'm hoping to avoid adding 200+ entries to the authorization file as I know more entries will affect performance of all SVN operations hosted on the server. This also seems like a lot of work to secure sensitive code that is necessary to build our final solution. TL;DR; Can you define common file patterns when setting up Subversion's Path-Based Authorization file instead of defining a rule for each explicit file or directory you need to restrict? ONE MORE THING I am familiar with externals, but we have not been able to get them to work with our continuous integration system, and the powers that be do not want to "waste time" to update or replace it at the moment.
The wildcard issue has been discussed for quite some time with svn, and there is an open bug report for it:
The last comment (from June 2013) included the following statement:
We concluded that this feature is worth implementing anyway. We can
alert users to the fact that the feature can reduce server performance
in some cases, and could even be used for denial of service attacks
(as already mentioned in above comments to this issue).
The pre-commit hook svnperms.py has limited wildcard support, only for writes, not for reads:
The upcoming Subversion 1.10 release will support globbing wildcards in path-based authorization: https://subversion.apache.org/docs/release-notes/1.10.html#authzperf