Consider the following authz configuration: [[[ [/foo/bar/baz] * = [/] * = rw ]]] /foo/bar exists in the repo where bar is an empty directory. If the user tries to do a: svn cp ^/foo ^/x They will get an error telling them access has been denied. This is because svn_repos_authz_check_access() when the required_access has svn_authz_recursive set walks the authz entries looking for any entries starting the path passed to it. But it does not bother to check that the path actually exists. This means that authz is actually more strict than it needs to be.