Lieven,
I think that is contrary to most interpretations of best practice for
security models. Most severe restriction should apply. This is the way
most OSs and Databases interpret multiple access rights paths. I
realise they probably did this for efficiency, but I feel it should be
changed to act on the most restrictive.
Jeb Beasley
Lieven Govaerts wrote:
>Quoting "B. Smith-Mannschott" <benpsm@gmail.com>:
>
>
>
>>Respectfully, no, ... it isn't.
>>
>>[paint:/projects/paint]
>>@paint-developers = rw
>>jane = r
>>
>>Since "jane" is also a member of paint-developers, does she have
>>read-only or read-write permssion? Which takes precidence? The more
>>permissive? The more restrictive? The first? The last? This should
>>be clarified.
>>
>>
>
>Hi Ben,
>
>I think you're right in that it should be clarified.
>
>If you like to have more detailed information on some topics, you can look at
>the python tests of authorization. They're not complete yet, but we're working
>on that:
>http://svn.collab.net/repos/svn/trunk/subversion/tests/cmdline/authz_tests.py
>
>To answer your specific question, I found that once you grant the user a right
>(@paint-developers=rw), you can't remove that right on the next line(jane=r).
>In fact, subversion just parses the first line, sees that you jane has rw
>rights through the paint-developers group and just stops parsing.
>
>Hope this helps,
>
>Lieven.
>
>
>
>----------------------------------------------------------------
>This message was sent using IMP, the Internet Messaging Program.
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
>For additional commands, e-mail: users-help@subversion.tigris.org
>
>
>
>
Received on Fri May 19 13:56:53 2006