Greg Thomas wrote:
> On Fri, 19 May 2006 07:55:23 -0400, Jeb <jeb.beasley@penske.com>
> wrote:
>
>
>> I think that is contrary to most interpretations of best practice for
>> security models. Most severe restriction should apply.
>>
>
> This makes it impossible to give anonymous read only access, a very
> desirable feature:
>
> [/foo]
> *=r
> @developers=rw
>
> Greg
>
So then why can't we let the system continue parsing the permissions?
An earlier post (from Lieven) stated
"To answer your specific question, I found that once you grant the user a right
(@paint-developers=rw), you can't remove that right on the next line(jane=r).
In fact, subversion just parses the first line, sees that you jane has rw
rights through the paint-developers group and just stops parsing."
[/foo]
*=r
@developers=rw
jane=r
If this is done, then the order in which the permissions are assigned
takes significance. So read-only can be given to everyone, the
developers group could be given full rw access, Jane is part of the
developers group, but not for this particular repository so she should
be read-only.
my 2 cents(USD).
Regards,
Frank
Received on Fri May 19 14:26:12 2006