Ancestor directory permissions in authz
From: Hannes Reich <hannes_at_skynet.ie>
Date: Fri, 28 Nov 2014 18:03:16 +0100
I'd like to suggest an extension to the authz file format to support the
* Some users of the repository should have access to everything, others
* All users should be able to check out from the same "root" directory.
Currently, the authz configuration for such a setup is verbose, and
This could be simplified by introducing the concept of "ancestor
If the repo contains directories named
...then these authz rules will grant access to the two "public" paths:
...but to enable a single checkout containing them both, we also need
...which enables access to the ancestor directories, followed by
...to avoid granting access to the "secret" directories.
If we create "/A/E/F/G/H/secret3" at some future time, then we must
...or the restricted users will have access to it as a result of the
That's a lot of configuration for a IMHO simple requirement.
With ancestor permissions, all of the above could be expressed as
which implies read access to "/", "/A", "/A/C" and "/D", but not to
svn_repos_authz_check_access distinguishes between checks for recursive
This is similar to the scanning of subpath permissions to check for
Does this seem like a generally worthwhile feature and/or sensible way
Thanks for any feedback,
This is an archived mail posted to the Subversion Dev mailing list.