Subversion Permissions using pre-commit hook

Subversion does not allow fine grained permission management natively through svnserve. For example, it is not possible to disable read/write access to a certain SVN directory for a given user.

However, you generally don’t want all your users to be able to write changes anywhere else than the branch they’re working on until they finish their work and prove that they’re able to “not screw everything up” ;)

This can be achieved by using pre-commit hooks in subversion that will make transactions fail in directory where users don’t have permissions.

For access control, a good choice is the pre-commit hook generally located in /usr/share/subversion/hook-scripts on a default svn install.

You’ll need to copy the /path/to/your/repository/hooks/pre-commit.tmpl to /path/to/your/repository/hooks/pre-commit and make it executable (chmod +x). Then you’ll have to edit that file to add a line that looks like (all on one line) :

/usr/share/subversion/hook-scripts/ “$1” “$2” /path/to/your/repository/conf/commit-access-control.cfg || exit 1

Then, you edit the /path/to/your/repository/conf/commit-access-control.cfg to make it look like:

[Make everything read-only for all users]
match   = .*
access  = read-only
[Make somebranch read-write for user1]
match  = ^branches/somebranch
users  = user1
access = read-write

And you’re all set ;) When user1 tries to commit in somebranch, it will go smooth. Any other user committing will result in a failure. You can change this by adding :

[Make everything writable to some users listed here below]

match  = .*
users  = user2 user3
access = read-write



7 Responses to “Subversion Permissions using pre-commit hook”

  1. Penny Says:

    I could definitely see your expertise in the work you write. The sector hopes for more passionate writers like you exchanging such great tips! Thanks.

  2. » Requiring Comments for Subversion Commits Says:

    […] it for my situation.  See the Word Aligned article for a details on testing the hook script and this blog for information on setting up var dd_offset_from_content = 40;   […]

  3. mandm Says:

    is there similar way to restrict the users from being able to read certain directories?

  4. nicolas Says:

    mandm: SVN doesn’t have pre-checkout hooks that you can use for this. However, one way to go could be SVN Path Based Authorization.

  5. Benh tri Says:

    Thanks for some other wonderful post. Where else may anyone get that kind of information in such a perfect means of writing? I’ve a presentation subsequent week, and I’m on the look for such information.

  6. ram Says:

    i am getting the below error while executing
    Can’t locate Config/ in @INC (@INC contains: /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.6/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/site_perl/5.8.6 /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.6/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.8/i386-linux-thread-multi /usr/lib/perl5/5.8.8

  7. nicolas Says:

    ram: You shouldn’t be executing the script manually. Instead, you should modify the repository configuration as indicated in the post so that the script is run by the SVN process before each commit as a pre-commit hook.

Leave a Reply