authz: what has precidence when user is multiply referenced for a particular path?

From: B. Smith-Mannschott <benpsm_at_gmail.com>
Date: 2006-05-19 11:29:01 CEST

From the subversion book (r2160):

<quote>
The access file also allows you to define whole groups of users, much
like the Unix /etc/group file:

[groups]
calc-developers = harry, sally, joe
paint-developers = frank, sally, jane
everyone = harry, sally, joe, frank, sally, jane

Groups can be granted access control just like users. Distinguish them
with an "at" (@) prefix:

[calc:/projects/calc]
@calc-developers = rw

[paint:/projects/paint]
@paint-developers = rw
jane = r

Groups can also be defined to contain other groups:

[groups]
calc-developers = harry, sally, joe
paint-developers = frank, sally, jane
everyone = @calc-developers, @paint-developers

...and that's pretty much all there is to it.
</quote>

Respectfully, no, ... it isn't.

[paint:/projects/paint]
@paint-developers = rw
jane = r

Since "jane" is also a member of paint-developers, does she have
read-only or read-write permssion? Which takes precidence? The more
permissive? The more restrictive? The first? The last? This should
be clarified.

More generally, consider this case:

[groups]
A = x, y, z
B = v, w, x
C = w, x, y

[repos:/path]
@A=r
@B=rw
@C=

What kind of access does user "x" have on "/path"?

// ben
Received on Fri May 19 11:30:00 2006

This message: [ Message body ]
Next message: o.nash_at_cs.ucc.ie: "subversion 1.3.1 problems with command line tools"
Previous message: Tony Morris: "Re: Commit .jsp problem"
Next in thread: Lieven Govaerts: "Re: authz: what has precidence when user is multiply referenced for a particular path?"
Reply: Lieven Govaerts: "Re: authz: what has precidence when user is multiply referenced for a particular path?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]