[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] prototype replay authz checks

From: Danny van Heumen <danny.vanheumen_at_hccnet.nl>
Date: 2006-04-30 01:06:27 CEST

Garrett Rooney wrote:
> To get this kind of behavior we either need to have nonrecursive authz
> permissions, which means each and every path that you want to block
> checkout of needs to be tagged in the authz conf file, which would
> really suck, or we need wildcards of some sort. Adding wildcard
> support without having it devolve into "ok, now we enumerate all
> sections in the file and see if any of them match" seems like it will
> require some thought...
>
> So before I dive into the whole "how should wildcards work" mess any
> further than I already have, has anyone thought about that sort of
> thing yet? Anyone got a design proposal sitting around that they
> haven't sent out yet?
>
> -garrett

Couldn't we just work with an attribute that indicates that the current
setting is nonrecursive. For example use the - to indicate a
non-recursive attribute.

BTW i noticed the use of the 'x' for checkout rights (is this correct?)
but this is a slightly different meaning than the x in a unix/linux
environment indicating whether or not it's allowed to be accessed. And
because in the svnserve-authz code there was a hint about implementing
an 'x' "under water" it might be a better idea to use an 'o' for
check-Out or some other character.

Example where I will indicate that a certain directory is read-only,
because you don't want to disturb this directory structure:

dir-structure:
/
/project/
/project/trunk/
/project/branches/
/project/tags/

authz-file:
('-' means that this attribute is non-recursive and is part of both r and x)
--start--
[/]
* = rwx

[/project]
* = rx-
--end--

First part:
everyone gets read+write access to the repository.

Second part:
indicates that in the project-directory (and only this directory)
everyone gets read-only access.

When someone wants to write to '/project/trunk' the non-recursive will
just be ignored when it's on a parent folder, so:
[/]
* = rwx

will indicate that the user has write-access on the folder.

This could work well together with Garrett's proposition for wildcards
so a user can choose the most efficient method for indicating special
access situations.

Danny

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sun Apr 30 01:05:23 2006

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.