I'm trying to configure permissions for an SVN repository accessed through Apache 2. What I want is to let anyone access the root directory, while restricting to authenticated users a child directory. Example:
/demo
/demo/project1
/demo/project1/sensitive-data # This path should require user authentication.
/demo/project2
At first, I thought this was as simple as:
<Location /demo>
DAV svn
SVNPath /home/svn/demo
AuthType Basic
AuthName demo
AuthUserFile /etc/subversion/passwd
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
</Location>
<Location /demo/project1/sensitive-data>
DAV svn
Require valid-user
</Location>
When used through HTTP (for example with CURL), Apache conforms to the configuration: I can access:
and I get, as expected, a HTTP 401 Unauthorized
when trying to retrieve http://example.com/demo/project1/sensitive-data.
On the other hand, doing:
svn checkout http://example.com/demo/ .
or:svn checkout http://example.com/demo/project1/ .
retrieves the whole directory tree, including demo/project1/sensitive-data
.
At least, svn checkout http://example.com/demo/project1/sensitive-data/ .
requests for a password.
How should I configure the permissions to restrict the access to sensitive-data
directory when doing svn checkout http://example.com/demo/ .
?