Nasser,
Thanks for your explanation.
If I understand well, a user cannot have less access than a group she
belongs to, at least on the same directory: you can only restrict
access on sub directories.
Is that right?
Then, it is a real problem for us, because what we really want to do is
to provide read access to the whole repository to everybody but a few
specified users.
Are there any other way to do this?
Here, 'everybody' means 3000 users, and I guess performance would
suffer if we listed all these users in the SVN access file.
SVN would have to parse the full list for each repository access.
(Actually, I did not try that. Do you think this could work?)
Thanks for your help!
Nicolas
Dassi, Nasser wrote:
>Security (ACLs) typically run in the "path-of-least-resistence" fashion.
>
>Tom and John are anonymous until authenticated. Once authenticated,
>they have as much access as possible with the least
>challenge/resistence.
>
>In Example 1, everybody is granted Read access (path of least
>resistence).
>
>In Example 2, nobody has Read access until otherwise granted (via
>@allusers group).
>
>Hope that helps understand security/permissions (and this applies
>everywhere).
>
>- nasser
>
>Nasser Dassi
>Sr. Technical Programmer
>=========================================
>E: ndassi@141xm.com
>=========================================
>
>-----Original Message-----
>From: Nicolas Guerin [mailto:Nicolas.Guerin@xrce.xerox.com]
>Sent: Wednesday, January 26, 2005 1:10 PM
>To: users@subversion.tigris.org
>Subject: Restricting access rights in AuthzSVNAccessFile
>
>Hi,
>
>I need to allow read access to a SVN repository to any authenticated
>user but a few.
>Since we're using mod_authz_svn for fine grained user access, I put in
>place this simple AuthzSVNAccessFile access file:
>
> [groups]
> restricted = tom,john
>
> [/]
> * = r
> @restricted =
>
>I hoped that read access would be granted to all but the 'restricted'
>group.
>Unfortunately, it is not the case: tom and john can still checkout the
>repository.
>
>I also tried listing individual users instead of a group, but it didn't
>help.
>
>The only workaround I see is to list ALL users (around 3000!) in a
>group, and:
>
> [/]
> * =
> @allusers = r
>
>But I think that SVN performance would suffer...
>BTW, I'm using SVN 1.0.6 with https access.
>
>Any idea why the first example does not work?
>All suggestions welcome.
>Thank you for your help!
>
>Nicolas
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
>For additional commands, e-mail: users-help@subversion.tigris.org
>
>
>
>
>
>.
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Jan 27 15:26:31 2005