On Tue, 2004-03-16 at 05:29, Travis P wrote:
> On Mar 12, 2004, at 1:27 PM, Jack Huang wrote:
[...]
> > [/]
> > * = rw
> > [/MyRepos]
> > jack =
> >
> > I was still able to check out files from MyRepos. It appears that the
> > first entry has overrode the second entry.
>
> I'm not sure negative permissions will work like you desire. Many ACL
> systems grant the most access available to a principal (union of all
> permissions from any and all groups in which the principal is a member,
> including "*" in this case). They do not try and manage which
> specification of the principal is "most specific" and thus should
> override others. I believe you are thinking that permissions for
> "jack," because it names the principal specifically, should override
> the permissions given to everyone, including jack, with the "* = rw"
> specification. I don't believe the system works like that (educated
> guess; I haven't looked at the code).
Actually this will work. The algorithm is to find a section for the
longest path first. If there is a matching user in there, we use
the permissions specified. If there is no match, we try the path
with the last component removed. This goes on until we are at the
root. If there still has been no match, we deny access.
Sander
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Mar 16 07:09:13 2004