Implicit list folder permission for parents of readable paths

VisualSVN Server provides an extension for path-based authorization that allows users to browse to any location they have read access to, starting from the server root.

Overview

Starting from version 5.0, VisualSVN Server provides a per-repository authorization option named Implicit list folder permission for parents of readable paths. It allows users to navigate to any readable path without requiring read access to all parent folders of that path.

Imagine that a user has read access to /repos/project/trunk. Previously, this would mean that:

The user cannot browse to this location starting from the server root.
The user cannot access it unless he knows the repository name and the exact path.
The user cannot see the repository in the repository list.

To remove these drawbacks, VisualSVN Server 5.0 adds a per-repository option that automatically grants list folder permission to parents of paths readable by a user. These permissions do not grant read access to the content, but allow entering the corresponding folders.

Tip

The List folder permissions are called «implicit» due to their ephemeral nature. They only exist internally in the implementation of the authorization system; they cannot be edited and are not shown in the user interface.

Note

We recommend enabling this option for all existing and new repositories. For convenience, its state for new repositories can be changed in the server configuration.

Interactive example

Imagine a repository with read access permission for /repos/project/trunk. The table below shows the detailed permission state and the corresponding client behavior.

Enable implicit list folder permission

Permissions
/repos	List folder List folder	Read contents
/repos/project	List folder List folder	Read contents
/repos/project/trunk	List folder	Read contents

Client behavior
repos is shown in the repository list. repos is not shown in the repository list.
/repos/project/trunk is discoverable starting from the server root. /repos/project/trunk is not discoverable starting from the server root.
/repos/project/trunk is accessible without knowing the repository name and exact path. /repos/project/trunk is not accessible without knowing the repository name and exact path.
/repos/project/trunk can be checked out or downloaded.

Configuring implicit list folder permission

The option to enable Implicit list folder permission for parents of readable paths is part of the per-repository authorization settings and can be found on the Advanced Security Settings dialog:

Follow these steps to enable implicit list folder permissions for a repository in VisualSVN Server Manager:

Start the VisualSVN Server Manager console.
Expand the Repositories node.
Right-click the repository and click Properties.
Click Advanced to open the Advanced Security Settings dialog.
Select the Implicit list folder permission for parents of readable paths checkbox.
Click OK to close the dialog.
Click Apply in the Properties of the repository.

The authorization settings used by the Subversion and Windows authentication modes have independent values for this option. If you are using separate authorization profiles for distributed VDFS repositories, then you should configure it separately for each profile too.

Default implicit list folder permission setting for new repositories

VisualSVN Server allows configuring the state of the Implicit list folder permission for parents of readable paths option for all new repositories. The state of this option applies to all repositories created in VisualSVN Server Manager or with VisualSVN Server PowerShell.

Follow these steps to enable implicit list folder permissions for all new repositories:

Start the VisualSVN Server Manager console.
Click the Action | Properties main menu command.
Click the Security tab.
Select Implicit list folder permissions for parents of readable paths.
Click Apply.

Managing the implicit list folder permission options through PowerShell

You can use PowerShell to view and toggle the above-mentioned authorization options that control implicit list folder permissions. This can be especially convenient for bulk operations on multiple repositories.

The per-repository option for implicit list folder permissions

For the per-repository option called Implicit list folder permissions for parents of readable paths, which turns implicit list folder permissions on or off for a specific repository, use the Get-SvnAccessConfiguration cmdlet to display the current state of this option for a particular repository or for all repositories. Using the Set-SvnAccessConfiguration cmdlet, you can toggle this per-repository option on or off for any repository.

Bulk operations on multiple repositories

The Get-SvnAccessConfiguration and Set-SvnAccessConfiguration cmdlets can operate on an individual specified repository as well as on multiple repositories in bulk. For example, to turn on implicit list folder permissions in all your repositories, execute the following command:

Get-SvnAccessConfiguration | Set-SvnAccessConfiguration -ImplicitListFolderAccess Enabled

See the reference information about the Get-SvnAccessConfiguration and Set-SvnAccessConfiguration cmdlets for more details on their available parameters.

The global default setting

You can also view or change the global default Implicit list folder permissions for parents of readable paths setting, which determines whether implicit list folder permissions are turned on or off, by default, in newly added repositories.

To view the current default setting, use the Get-SvnServerConfiguration cmdlet. The value is stored in the property called DefaultImplicitListFolderAccess. You can change this default setting using the Set-SvnServerConfiguration cmdlet, for example:

Set-SvnServerConfiguration -DefaultImplicitListFolderAccess Enabled