[PATCH] Re: Ancestor directory permissions in authz

On 02/12/14 16:49, C. Michael Pilato wrote:
> On 11/28/2014 12:03 PM, Hannes Reich wrote:
>> I'd like to suggest an extension to the authz file format to support the
>> following scenario:
>>
>> * Some users of the repository should have access to everything, others
>> should be restricted to a small set of "public" directories.
>>
>> * All users should be able to check out from the same "root" directory.

> I love the idea of the feature, and in fact began at one point in the
> past trying to provide similar functionality on the authz-overhaul
> branch.

Thanks for the encouragement and background information.

I've attached the patch, which I would describe as a workaround for the
underlying issue the authz-overhaul branch is addressing.

Since the patch lacks authz-overhaul's concept of "list access", the
"ancestor" permission has some side-effects:

- Users can learn of the existence of the siblings of all ancestors of
paths to which they have access (by poking around in .svn/wc.db). This
is suboptimal but acceptable for my use case.

- Users can access the properties of all ancestors of paths to which
they have access. Perhaps this can be construed as a feature since it
enables access to svn:mergeinfo, though I haven't explored how well
merges as a restricted user work in practice.

/Hannes