Multiple matching lines in authz file

From: Philip Martin <philip_at_codematters.co.uk>
Date: Thu, 14 Jan 2010 22:16:35 +0000

What should happen when a username matches multiple lines in an authz
file? The svnbook states that the first matching line applies:

[groups]
paint-developers = frank, sally, jane

   [paint:/projects/paint]
   jane = r
   @paint-developers = rw

   Another important fact is that the first matching rule is the one
   which gets applied to a user. In the prior example, even though
   Jane is a member of the paint-developers group (which has
   read/write access), the jane = r rule will be discovered and
   matched before the group rule, thus denying Jane write access.

That's not what happens when I try it. I've stepped through in the
debugger and all lines that match get considered and the resulting
authz is the combination of all the permissions. In the above example
jane will have read/write access. Even simple authz files behave this
way:

   [/]
   philip =
   * = r

The book implies that philip would be denied access but when I try it
read access is allowed. Is this a book bug or a Subversion bug?

If it's a Subversion bug can we fix it? Do admins want this
behaviour? Can we change the behaviour of existing authz files? I
suppose we could introduce a some sort of directive to control the
matching behaviour:

[directives]
match = first

-- 
Philip

Received on 2010-01-14 23:17:13 CET

This message: [ Message body ]
Next message: Paul Burba: "Re: [NEW TARBALLS] Re: 1.6.8 up for signing / testing"
Previous message: Philip Martin: "Re: [NEW TARBALLS] Re: 1.6.8 up for signing / testing"
Next in thread: Stefan Sperling: "Re: Multiple matching lines in authz file"
Reply: Stefan Sperling: "Re: Multiple matching lines in authz file"
Reply: Eric Lee: "Re: Multiple matching lines in authz file"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]