On Mar 16, 2004, at 12:08 AM, Sander Striker wrote:
> On Tue, 2004-03-16 at 05:29, Travis P wrote:
>> On Mar 12, 2004, at 1:27 PM, Jack Huang wrote:
>
> [...]
>>> [/]
>>> * = rw
>>> [/MyRepos]
>>> jack =
>>>
>>> I was still able to check out files from MyRepos. It appears that
>>> the
>>> first entry has overrode the second entry.
>>
>> I'm not sure negative permissions will work like you desire. Many ACL
>> systems grant the most access available to a principal (union of all
>> permissions from any and all groups in which the principal is a
>> member,
>> including "*" in this case). They do not try and manage which
>> specification of the principal is "most specific" and thus should
>> override others. I believe you are thinking that permissions for
>> "jack," because it names the principal specifically, should override
>> the permissions given to everyone, including jack, with the "* = rw"
>> specification. I don't believe the system works like that (educated
>> guess; I haven't looked at the code).
>
> Actually this will work. The algorithm is to find a section for the
> longest path first. If there is a matching user in there, we use
> the permissions specified. If there is no match, we try the path
> with the last component removed. This goes on until we are at the
> root. If there still has been no match, we deny access.
>
> Sander
Thanks for the correction. I was mapping Subversion's permissions to
AFS in my mind and made an error (AFS does not have inherited
permissions except at directory creation time; academically, it does
have negative permissions, but they're rather devilish and usually
ignored).
-Travis
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Mar 16 17:02:51 2004