I'm trying to protect a subversion repository, requiring a username/password to browse the repo, and requiring the user to be a member of the admin group to file any changes.

Guest user (read-only permissions) is 'user1', admin user (read-write permissions) is 'user2'. Both are defined in davsvn.passwd file, but only user2 is defined in davsvn.group, ie

dav_svn.group

admin:user2

[httpd.conf]

 <virtualhost *:443=""><location svn="">DAV svn
    SVNPath /path/to/svn
    AuthType Basic
    AuthName "Subversion Repository"
    AuthUserFile /etc/apache2/dav_svn.passwd
    AuthGroupFile /etc/apache2/dav_svn.group
    Require valid-user

    <limitexcept get="" propfind="" options="" report="">Require group admin</limitexcept></location></virtualhost> 

Although attempts to acces the repo is greeted with the login box for both users, both users can commit changes to the repo, and the Apache access.log shows PUT, MERGE, CHECKOUT, DELETE, PROPPATCH, MKACTIVITY, etc entries for user1, who should not be able to do any of those things.

I tried putting 'Require valid-user' in a block, but it didn't help.

It looks like the LimitExcept block is not taking effect, but I can't see where I might have mis-configured it. Any help appreciated.