How to customize Collabnet Subversion Edge repository access rules to forbid users from deleting files(no-delete)

Question

Some developers in my team has gone mad...they sometime delete a file. I've been assigned to stop them from doing that. So far I tried following(Google is my best friend)

Under "Repository Access Rules" I've

######################SVN Groups###################
[groups]
Admins:adm,bdm
DevGrp:abc,bob,rob
Choreograher:bob
Database:abc

##############Folder-Specific-Access-Rules#########
[temp:/trunk/]
@Admins=rw
[temp:/trunk/applications/branches/development/internal/branches]
@DevGrp=rw
[temp:/trunk/applications/branches/development/choreographer/trunk]
@Choreograher=rw
[temp:/trunk/applications/branches/development/databse/trunk]
@Database=rw

Now I need to revoke delete rights from all groups(except admins ofcourse) from entire svn. I read about https://github.com/qazwart/SVN-Precommit-Kitchen-Sink-Hook but donno how to have two different files(one of Collabnet's own file, donno where itz stored and other as pre-commit-hook) to control access rules.

I simply tried adding new-pre-commit-hook.pl to my hook list, after changing following details

SVNLOOK_DEFAULT => '/opt/csvn/bin/svnlook',
SVN_REPO_DEFAULT    => '/opt/csvn/data/repositories/hooktest/',

.....

use constant {      # Control File Type (package Control)
    FILE_IN_REPO    => "R",
    FILE_ON_SERVER  => "/opt/csvn/data/repositories/hooktest/hooks/access-control.ini",
};

.....
use constant VALID_ACCESSES => qw(ro rw ao nd na);
....
if ( $case eq "ignore" ? $file_name =~ /$regex/i : $file_name =~ /$regex/ ) {
    if    ( $access eq "rw" ) {
    $permitted = 1;
    }
    elsif ( $access eq "ro" ) {
    $permitted = 0;
    $description = $file_rule->Description;
    }
    elsif ( $access eq "ao" ) {
    $permitted =  $change_type eq ADDED ? 1 : 0;
    $description = $file_rule->Description if not $permitted;
    }
    elsif ( $access eq "na" ) {
    $permitted = $change_type ne ADDED ? 1 : 0;
    $description = $file_rule->Description if not $permitted;
    }
    elsif ( $access eq "nd" ) {
    $permitted = $change_type ne DELETED ? 1 : 0;
    $description = $file_rule->Description if not $permitted;
    }
}

I tried with tags folder first.

Control File:access-control.ini

#SVN Permission Control File
##====================Legends====================##
#   Abbr.   Description
#   ro      read-only
#   rw      read-write
#   ao      add-only
#   nd      no-delete
#   na      no-add
##==============SVN Groups=======================##
[group superadmins]
users = adm,bdm
[group developers]
users = abc,bob,rob
[group all]
users = adm,bdm,abc,bob,rob
##===========Folder Specific Permissions=========##
[file]
file =/tags/**
access = ro
users = @all

[file]
file =/tags/*/*
access = ao
users = @superadmins

[file]
file =/tags/**
access = ro
users = @superadmins

But it did not work. I'm naive with perl as well as SVN. Please help. OS:Red Hat Enterprise Linux Server release 6.3 (Santiago) About Subversion Edge: Release: 3.2.2

Answer 1

SVN Edge helps you configure and manage a standard Subversion server that includes the binaries for. The Access Rules feature is part of Subversion itself as documented here:

http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html

You will want to use this feature to control who can read and write to your repository. That is as far as the Subversion feature goes.

What you want to do is further break down the write operation to control who can delete, which is simply one form of write. Subversion allows you to do that by inserting a pre-commit hook. Those are documented here:

http://svnbook.red-bean.com/en/1.7/svn.reposadmin.create.html#svn.reposadmin.create.hooks

It sounds like you found a hook that can do what you want. SVN Edge lets you upload hook scripts into the repository hooks folder via the web browser. If the hook script needs a configuration file, as is the case here, you can also upload that file. You just need to patch the hook as needed so that it can find the SVN binaries, as well as the configuration file you upload. The hook will run only AFTER the built-in SVN access rules have allowed someone with write access to get past its check.

So you need to give a user write access using the SVN Access Rules, and then take away the write access if they are trying to do something you do not want to allow them to do.

Answer 2

That's a great question. No. The Subversion Repository control only allow you to specify if someone can read the repository, or read and make commits to the repository. To have finer permissions, you'll have to write a Subversion pre-commit hook that will allow users to modify, but not delete files/directories. If only someone had written such a pre-commit hook!

Wait a second! I wrote such a pre-commit hook.

This particular hook allows for the following permissions:

• read-write: Allow user to read and commit changes to the file.
• read-only: Prevent the user from making any change to the file.
• no-delete: Allow users to make changes, but not delete the file.
• add-only: Allow a user to add a directory via svn cp, but cannot edit the file once added. This was specifically created with tags in mind.
• no-add: Allow users to make changes (and even delete the file, but they cannot add this file.

Notice there's no permission that prevents read access. That can only be controlled through the repository access controls. After all, a pre-commit hook can only work if the file has already been checked out.

These permissions can be set via user groups (including LDAP groups and Windows Active Directory groups), and files can be matched either Perl regular expressions or Ant globbing.

The hook can also check for banned file names, the correct file properties are set, and whether the revision properties (including the commit message, svn:log is set correctly). The values of the properties can be matched against strings or regular expressions.