Re: Problem implementing path-based authorization with authz

On Jan 9, 2010, at 12:58 PM, Rob van Oostrum wrote:

> I see now. The path "/project/!svn" makes no sense. It doesn't exist in the repository, so that rule doesn't do anything. The !svn is a SVN-internal concept. To assign permissions to /project, you need to have to specify:
>
> [/project]
> * = r
>
> Do a search on the old list archives on tigris for some background. If I remember correctly, you cannot have less than global read permissions on the repository's root if you're on SVN 1.5 or later.
>
> Hope this helps,
> Rob
>

Thanks Rob. The last note does help and that seems to be correct based on my experimentation, but it seems to go a little further, that a user must have the same access to the root directory as they do for the particular directory that they are working on. So that would mean if a user in @public has rw access to and wants to commit to /project/public_files, they have to have write access to /project so the metadata can be updated.

For the benefit of others that may come across this in the archives, it turns out about the only way I was able to figure out to set this up was the following:

> [/project]
> * = rw
>
> [/project/trunk/core]
> @project-core-developer = rw
> @project-web-developer =
>
> [/project/trunk/web]
> @project-core-developer =
> @project-web-developer = rw
>
> [/project/trunk/common]
> @project-core-developer = rw
> @project-web-developer = rw

In other words, to do an exhaustive matrix of every combination of paths and access for every group for each path.

Granted, some or much of this information may be irrelevant outside the Crowd environment, but the situation is worse with the stock LDAP adapters for Apache. The can't even read groups in.

Anyway, thanks for thinking this through with me.

Cheers, Brian
Received on 2010-01-09 22:31:49 CET