Path-based authorization: multiple references to one user

Hello!

What should happen when a single section of an authorization file has
several rules which could match a given user? Statements from
documentation, mailing lists, and experience seem to conflict with each
other.

[groups]
users = jim
users2 = jim

[repo1:/]
jim = r
@users = rw

[repo2:/]
jim = r
* = rw

[repo3:/]
jim =
@users = r
@users2 = w

[repo4:/]
@users = r
@users2 = w

What permissions should 'jim' have in those cases?

My tests (on v1.5.1) seem to show that you simply get the union of all
rights for matching rules, so long as at least one rule matched. (So,
"rw" for jim on all repos above.) There was a 2006 discussion here,
which is at least consistent with that:

<http://subversion.tigris.org/servlets/BrowseList?list=users&by=thread&from=472543>

At some much earlier point, I'd convinced myself by testing that the
specificity of the identified party (user > group > wildcard '*') was
used. And where several group rules matched, the union of the
permissions of those rules applied. (So "r", "r", "", "rw" above.) Was
that ever the case, or must I have bungled my tests? Here's a 2004
thread on the developer list that partially confirms my conviction:

<http://subversion.tigris.org/servlets/BrowseList?list=dev&by=thread&from=220588>

The documentation suggests that there is some sort of ordering (by
discovery), that "the /first/ matching rule is the one which gets
applied to a user" (so "r", "r", "", "r"):

<http://svnbook.red-bean.com/nightly/en/svn.serverconfig.pathbasedauthz.html>

So, what are the intended and actual behaviours, and have they been
changing over the years (to account for my confusion)?

Thanks,

Steven

-- 
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org