[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Granting full access to a directory, readonly access to path to directory, deny access to rest of tree?

From: Bob Archer <Bob.Archer_at_amsi.com>
Date: Thu, 5 Aug 2010 12:26:47 -0400

> Suppose I have a bunch of projects, and I want to grant full access
> to a group, but no access to anything else.  Please don't call me
> anti-social.
>
> /trunk/proja
> /trunk/projb
> /trunk/projc
>
> I want to grant full access to proja to groupa, but no access to
> the others.  How can I do this?
>
> [repo:/]
> @groupa = r
> @others = rw
>
> [repo:/trunk/proja]
> @groupa = rw
>
> [repo:/trunk/projb]
> @groupa =
>
> [repo:/trunk/projc]
> @groupa =
>
> However, this does not scale well.  When I add projd, I need to
> make sure that I remove access (@groupa=;) for all the groups that
> should not have access.  That is, I am practicing negative access
> control (deny access), which is error prone.
>
> Is there a way for the permissions to not be recursive, so that I
> could grant @groupa access to / without it applying to /**?
>
> We could reorg the repo (/trunk/secret and /trunk/groupa), but that
> seems like the tail wagging the dog (security issues dictating repo
> layout).
>

How about something like:

[repo:/]
@groupa =
@others = rw
 
[repo:/trunk/proja]
@groupa = rw
 

This way groupa has no rights to root... and rw to /trunk/proja.

I'm pretty sure this works... although there was a bug with the group being able to create a branch in their allowed path if they didn't have read access to root. However, I think this was fixed in a recent version .10 or newer perhaps. You can check the change logs.

If other are everyone else I think you can even do:

[repo:/]
@groupa =
* = rw
 
[repo:/trunk/proja]
@groupa = rw

But, not sure, you would have to test.

BOb
Received on 2010-08-05 18:27:28 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.