I finally found the explanation for a Subversion misbehavior that has been annoying me for a long time. Many repositories of KWARC projects have a world-readable root, whereas access to certain subdirectories is restricted. Now, when checking out such repositories, I never got those subdirectories. So I always ended up doing another checkout for them, but that meant that inside the working copy of the overall repository I had a directory “sub”, which appeared as an unversioned item from above, but was an independent working copy of “sub” in itself – not quite convenient, as that makes it impossible to commit changes in the whole repository at once.
The Subversion book explains why that is the case (quoting from the section on “path-based authorization”):
Partial Readability and Checkouts
If you’re using Apache as your Subversion server and have made certain subdirectories of your repository unreadable to certain users, you need to be aware of a possible nonoptimal behavior with svn checkout.
When the client requests a checkout or update over HTTP, it makes a single server request and receives a single (often large) server response. When the server receives the request, that is the only opportunity Apache has to demand user authentication. This has some odd side effects. For example, if a certain subdirectory of the repository is readable only by user Sally, and user Harry checks out a parent directory, his client will respond to the initial authentication challenge as Harry. As the server generates the large response, there’s no way it can resend an authentication challenge when it reaches the special subdirectory; thus the subdirectory is skipped altogether, rather than asking the user to reauthenticate as Sally at the right moment. In a similar way, if the root of the repository is anonymously world-readable, the entire checkout will be done without authentication—again, skipping the unreadable directory, rather than asking for authentication partway through.
As a workaround, you temporarily have to restrict access to the root directory, while checking out.
Tags: authz, subversion