On Fri, Jul 06, 2012 at 02:04:10PM +0200, Ilya Ruprecht wrote: > <Location "/git/repo1.git"> > # read access > <Limit GET> > require ldap-group repo.writers > require ldap-group repo.readers > </Limit> > > # write access > <Limit GET PUT POST DELETE PROPPATCH MKCOL COPY MOVE > LOCK UNLOCK> > require ldap-group repo.writers > </Limit> As you noticed, this will not do what you want. Git's smart-http protocol uses POST requests to send the list of heads during ref negotiation. So even a fetch request will require both GETs and POSTs. The right way to restrict reading versus writing over smart-http is to check which git service is being requested (confusingly, "git-upload-pack" is for clones and fetches, and "git-receive-pack" is for pushes; the names are based on what the _server_ is doing). There is an example in the git-http-backend documentation, which uses a LocationMatch along with a "require" directive. -Peff -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html