[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Limited subdirectory access

From: K F <cmkforce_at_yahoo.com>
Date: Tue, 31 Jan 2012 06:50:36 -0800 (PST)

--- On Tue, 1/31/12, Philip Martin <philip.martin_at_wandisco.com> wrote:

> From: Philip Martin <philip.martin_at_wandisco.com>
> Subject: Re: Limited subdirectory access
> To: "K F" <cmkforce_at_yahoo.com>
> Cc: "users_at_subversion.apache.org" <users_at_subversion.apache.org>, "MarkCooke" <mark.cooke_at_siemens.com>
> Date: Tuesday, January 31, 2012, 2:00 PM
> Stefan Sperling <stsp_at_elego.de>
> writes:
>
> > On Tue, Jan 31, 2012 at 05:22:15AM -0800, K F wrote:
> >> [groups]
> >> dev = rcrespo, test
> >> dev1 = test
> >> qa = qagroup
> >>
> >> [/DEF]
> >> @dev =
> >> @dev1 = rw
> >>
> >> [/]
> >> @dev = rw
> >> @qa = r
> >>
> >> I am still able to commit files in the DEF
> directory using the rcrespo login.
> >
> > Hmmm... I think you'll have to revoke the dev's group
> rw access on the root.
> > Then grant write permissions to subtrees individually.
> I suspect this is
> > because permissions for all path components are
> combined to form the final
> > set of permissions for a given full path.
> >
> > The book was wrong about this for a long time.
> > It claimed that permissions for earlier components of a
> path were
> > overridden by permissions for later components, which
> is incorrect.
>
> I think that's misleading.  The error in the book
> involved a user
> matching multiple lines for a single location, like the user
> 'test'
> above.  When that happens the user gets the union of
> all the
> permissions, the book mistakenly claimed the first matching
> line was
> used.
>
> Using the rules above in a file z.z:
>
> $ tools/server-side/svnauthz-validate z.z rcrespo /ABC
> user 'rcrespo' has rw access to '/ABC'
> $ tools/server-side/svnauthz-validate z.z rcrespo /DEF
> user 'rcrespo' has no access to '/DEF'
> $ tools/server-side/svnauthz-validate z.z test /DEF
> user 'test' has rw access to '/DEF'
>
> It appears the authz file is correct and denies rcrespo
> access to /DEF.
>
> I suspect the problem is a failure to enable authz at
> all--editing the
> wrong config file, accessing the wrong repository, failed to
> restart
> apache, something like that.
>
> --
> Philip
>

I verified the file is correct. I tried committing with a login other than rcrespo or test and it does not allow the commit. Apache was restarted and I can still commit with rcrespo.

Here is what is in svnserve.conf in case something is set wrong there:
[general]
anon-access = none
auth-access = write
password-db = passwd
authz-db = authz
Received on 2012-01-31 15:51:10 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.