[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Per-directory access control bug?

From: Jim Fulton <jim_at_zope.com>
Date: 2006-05-13 00:02:07 CEST

I've been using per-directory access control with svnserve (subversion
1.3.0) for a few weeks now and it has worked great. So far, I've used
it to grant selected users read-only access to selected projects. My
repository is layed out in the usual way, with a top-level directory
for each project. I have a group of users with read-write access to
the whole repository and then grant other users read access to
specific projects. My access file looks something like this:

   [groups]
   zc = jim,sally,...

   [/]
   @zc = rw

   [/proj1]
   bob = r

In this example, Bob can read proj1, but can't read the root. He can't
even list the root, so he can't find out what the other projects
are. This is just what I want.

Now, suppose I want to let Mary work on proj2. It seems like I should
be able to add:

   [/proj2]
   mary = rw

But this doesn't work. Mary can read proj2, but she can't write it.
With some experimentation, I've discovered that if I grant Mary read
access at the top:

   [groups]
   zc = jim,sally,...

   [/]
   @zc = rw
   mary = r

   [/proj1]
   bob = r

   [/proj2]
   mary = rw

she can write proj2, but she can also read everything else. I don't
want that. As a partial work around, I can explicitly deny access to
all projects:

   [groups]
   zc = jim,sally,...

   [/]
   @zc = rw
   mary = r

   [/proj1]
   * =
   @zc = rw
   bob = r

   [/proj2]
   * =
   @zc = rw
   mary = rw

   [/proj3]
   * =
   @zc = rw

   [/proj4]
   * =
   @zc = rw

   ...

But of course, this is a pain and Mary can still list other projects,
which I don't want.

It appears to me that this is a bug. I don't think I should need to
grant read access to parent directories to grant write access to a
directory.

Even though the 1.3.1 release notes didn't say anything about this, I
tried upgrading to 1.3.1, to no avail.

Thoughts?

Should I report a bug?

Jim

-- 
Jim Fulton           mailto:jim@zope.com       Python Powered!
CTO                  (540) 361-1714            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Sat May 13 00:03:14 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.