How to customize Collabnet Subversion Edge repository access rules to forbid users from deleting files(no-delete)

svn pre-commit-hook svn-hooks collabnet subversion-edge
Amarjeet Kumar picture Amarjeet Kumar · Nov 19, 2013 · Viewed 10.8k times · Source

Some developers in my team has gone mad...they sometime delete a file. I've been assigned to stop them from doing that. So far I tried following(Google is my best friend)

Under "Repository Access Rules" I've 

######################SVN Groups###################
[groups]
Admins:adm,bdm
DevGrp:abc,bob,rob
Choreograher:bob
Database:abc

##############Folder-Specific-Access-Rules#########
[temp:/trunk/]
@Admins=rw
[temp:/trunk/applications/branches/development/internal/branches]
@DevGrp=rw
[temp:/trunk/applications/branches/development/choreographer/trunk]
@Choreograher=rw
[temp:/trunk/applications/branches/development/databse/trunk]
@Database=rw

Now I need to revoke delete rights from all groups(except admins ofcourse) from entire svn. I read about https://github.com/qazwart/SVN-Precommit-Kitchen-Sink-Hook but donno how to have two different files(one of Collabnet's own file, donno where itz stored and other as pre-commit-hook) to control access rules.

I simply tried adding new-pre-commit-hook.pl to my hook list, after changing following details 

SVNLOOK_DEFAULT => '/opt/csvn/bin/svnlook',
SVN_REPO_DEFAULT    => '/opt/csvn/data/repositories/hooktest/',

.....

use constant {      # Control File Type (package Control)
    FILE_IN_REPO    => "R",
    FILE_ON_SERVER  => "/opt/csvn/data/repositories/hooktest/hooks/access-control.ini",
};

.....
use constant VALID_ACCESSES => qw(ro rw ao nd na);
....
if ( $case eq "ignore" ? $file_name =~ /$regex/i : $file_name =~ /$regex/ ) {
    if    ( $access eq "rw" ) {
    $permitted = 1;
    }
    elsif ( $access eq "ro" ) {
    $permitted = 0;
    $description = $file_rule->Description;
    }
    elsif ( $access eq "ao" ) {
    $permitted =  $change_type eq ADDED ? 1 : 0;
    $description = $file_rule->Description if not $permitted;
    }
    elsif ( $access eq "na" ) {
    $permitted = $change_type ne ADDED ? 1 : 0;
    $description = $file_rule->Description if not $permitted;
    }
    elsif ( $access eq "nd" ) {
    $permitted = $change_type ne DELETED ? 1 : 0;
    $description = $file_rule->Description if not $permitted;
    }
}

I tried with tags folder first.

Control File:access-control.ini

#SVN Permission Control File
##====================Legends====================##
#   Abbr.   Description
#   ro      read-only
#   rw      read-write
#   ao      add-only
#   nd      no-delete
#   na      no-add
##==============SVN Groups=======================##
[group superadmins]
users = adm,bdm
[group developers]
users = abc,bob,rob
[group all]
users = adm,bdm,abc,bob,rob
##===========Folder Specific Permissions=========##
[file]
file =/tags/**
access = ro
users = @all

[file]
file =/tags/*/*
access = ao
users = @superadmins

[file]
file =/tags/**
access = ro
users = @superadmins

But it did not work. I'm naive with perl as well as SVN. Please help. OS:Red Hat Enterprise Linux Server release 6.3 (Santiago) About Subversion Edge: Release: 3.2.2

Answer

Mark Phippard picture Mark Phippard · Dec 4, 2013

SVN Edge helps you configure and manage a standard Subversion server that includes the binaries for. The Access Rules feature is part of Subversion itself as documented here:

http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html

You will want to use this feature to control who can read and write to your repository. That is as far as the Subversion feature goes.

What you want to do is further break down the write operation to control who can delete, which is simply one form of write. Subversion allows you to do that by inserting a pre-commit hook. Those are documented here:

http://svnbook.red-bean.com/en/1.7/svn.reposadmin.create.html#svn.reposadmin.create.hooks

It sounds like you found a hook that can do what you want. SVN Edge lets you upload hook scripts into the repository hooks folder via the web browser. If the hook script needs a configuration file, as is the case here, you can also upload that file. You just need to patch the hook as needed so that it can find the SVN binaries, as well as the configuration file you upload. The hook will run only AFTER the built-in SVN access rules have allowed someone with write access to get past its check.

So you need to give a user write access using the SVN Access Rules, and then take away the write access if they are trying to do something you do not want to allow them to do.

Related questions

How do I create a SVN Commit Message Template and Hook to Verify

I'm using Visual SVN Server and Tortoise SVN (client) for source control. I would like all developers to standardize on a consistent format for checkin notes. For Example I want their Commit Message to default to... Synopsis: Developer Name: (pre-populated) …

Read More
TortoiseSVN client pre commit hook to check the contents of file being committed

I want to write a pre commit hook in windows batch file which will check for specific string in the file being committed. If the string exists, the commit will fail. I have TortoiseSVN client installed. As it's tortoisesvn client, …

Read More
Automatically add svn keyword properties for new files (server-side)

I want to add svn properties (like svn:keyword=Id Date Rev Author) to files upon commits of new files. For this to work there may be two main options: Client-side: altering the autoprops in the svn client configuration Server-side: …

Read More