imho, the system should continue parsing and finally keep the less
restrictive access for the user.
Perceval
2006/5/19, Frank Gruman <fgatwork@verizon.net>:
>
> Greg Thomas wrote:
> On Fri, 19 May 2006 07:55:23 -0400, Jeb <jeb.beasley@penske.com>
> wrote:
>
>
>
> I think that is contrary to most interpretations of best practice for
> security models. Most severe restriction should apply.
>
> This makes it impossible to give anonymous read only access, a very
> desirable feature:
>
> [/foo]
> *=r
> @developers=rw
>
> Greg
>
> So then why can't we let the system continue parsing the permissions? An
> earlier post (from Lieven) stated
>
>
> "To answer your specific question, I found that once you grant the user a
> right
> (@paint-developers=rw), you can't remove that right on the next
> line(jane=r).
> In fact, subversion just parses the first line, sees that you jane has rw
> rights through the paint-developers group and just stops parsing."
>
>
>
>
> [/foo]
> *=r
> @developers=rw
> jane=r
>
>
> If this is done, then the order in which the permissions are assigned takes
> significance. So read-only can be given to everyone, the developers group
> could be given full rw access, Jane is part of the developers group, but not
> for this particular repository so she should be read-only.
>
> my 2 cents(USD).
>
> Regards,
> Frank
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri May 19 14:56:59 2006