[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: mod_authz_svn Negative Permissions

From: <kmradke_at_rockwellcollins.com>
Date: Thu, 18 Dec 2008 10:42:24 -0600

"Karl M. Davis" <karl_at_davisonlinehome.name> wrote on 12/17/2008 12:38:55
PM:
> Hello all,
>
> I would really love to be able to do something like this:
> <<
> [/]
> @partner =
> * = rw
>
> [somerepo:/foo/bar]
> @partner = rw
>
> [groups]
> partner = bob, fred
> >>
>
> Instead, I have to do the following, which will require a lot more
maintenance:
> <<
> [/]
> * =
> @internal = rw
>
> [somerepo:/foo/bar]
> @partner = rw
>
> [groups]
> partner = bob, fred
> internal = tom, dick, harry, frank, billy, yadda, etc
> >>
>
> Keeping the "internal" group up to date won't be much fun. Is there any
way
> to make the first config example work? It would be ideal if there were
an
> option that set things such that the first matching user entry in each
> section was the one enforced.
>
> This page does a good job of documenting the current behavior:
http://www.
>
developingprogrammers.com/index.php/2008/08/13/subversion-acl-permissions-explained/

That is a very interesting website!

I've found using "*" is fairly error prone. However, if you look at
the subversion/libsvn_repos/repos.c file you will see some additional
information even the book doesn't mention:

"### The authorizations follow. An authorization line can refer to:"
"### - a single user,"
"### - a group of users defined in a special [groups] section,"
"### - an alias defined in a special [aliases] section,"
"### - all authenticated users, using the '$authenticated' token,"
"### - only anonymous users, using the '$anonymous' token,"
"### - anyone, using the '*' wildcard."
"###"
"### A match can be inverted by prefixing the rule with '~'. Rules can"
"### grant read ('r') access, read-write ('rw') access, or no access"

The important things are:

- Prefixing the rule with '~' will invert it.
- $authenticated equates to all authenticated users (not anyone like '*')
- $anonymous equates to only anonymous users

I believe most people would be better served with using the
'$authenticated' and '$anonymous' tokens instead of '*'.

[/]
$authenticated=rw

[/anon]
$anonymous=r

[/hidden_from_bob]
bob=

This will allow all authenticated users (including bob) to
have r/w permissions to the whole repository except bob
does not have access to anything under /hidden_from_bob.
(And anonymous users can read /anon)

NOTE: I didn't actually try the above canned authz file, but
it represents things I've tried in the past.

Kevin R.

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=986810

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2008-12-18 17:43:40 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.