[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: authz: what has precidence when user is multiply referenced for a particular path?

From: Frank Gruman <fgatwork_at_verizon.net>
Date: 2006-05-19 14:24:46 CEST

Greg Thomas wrote:
> On Fri, 19 May 2006 07:55:23 -0400, Jeb <jeb.beasley@penske.com>
> wrote:
>
>
>> I think that is contrary to most interpretations of best practice for
>> security models. Most severe restriction should apply.
>>
>
> This makes it impossible to give anonymous read only access, a very
> desirable feature:
>
> [/foo]
> *=r
> @developers=rw
>
> Greg
>
So then why can't we let the system continue parsing the permissions?
An earlier post (from Lieven) stated

    "To answer your specific question, I found that once you grant the user a right
    (@paint-developers=rw), you can't remove that right on the next line(jane=r).
    In fact, subversion just parses the first line, sees that you jane has rw
    rights through the paint-developers group and just stops parsing."

      

[/foo]
*=r
@developers=rw
jane=r

If this is done, then the order in which the permissions are assigned
takes significance. So read-only can be given to everyone, the
developers group could be given full rw access, Jane is part of the
developers group, but not for this particular repository so she should
be read-only.

my 2 cents(USD).

Regards,
Frank
Received on Fri May 19 14:26:12 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.