David Brodbeck <brodbd_at_uw.edu> wrote on 04/26/2011 06:07:13 PM:
> On Tue, Apr 26, 2011 at 3:23 PM, Alan M. Evans <ame1_at_extratech.com>
wrote:
> On Tue, 2011-04-26 at 17:18 -0500, kmradke_at_rockwellcollins.com wrote:
> > "Alan M. Evans" wrote on 04/26/2011 04:54:37 PM:
> > >
> > > > I've found using "*" to be non intuitive. Try:
> > > >
> > > > [/]
> > > > $authenticated=rw
> > > > jon=
> > >
> > > Thanks for the reply! Unfortunately, jon still has full access...
> >
> > Does order matter? I think the first match wins:
> >
> > [/]
> > jon=
> > $authenticated=rw
> No difference. jon still has access.
>
> The manual says "first match wins" but that's wrong. When I asked
> about this I was pointed to this discussion:
> http://svn.haxx.se/dev/archive-2010-01/0340.shtml
> It turns out the permissions are basically or'ed; the user gets a
> combination of permissions from all the lines that apply to them.
> So the short answer is there's probably no way to do what you want
> except by creating a group with everyone but jon in it.
Ah yes, too much simplification on my part.
I've done (a more complex example) like this:
[/]
$authenticated=rw
[/jon_cant_see_me]
jon=
Jon can see everything in the repo except anything under /jon_cant_see_me.
I believe this works because it first matches all the lines for the
specific path, then tries to apply the inherited perms...
(Each specific path follows the OR rules specified in the discussion
thread, and since the /jon_cant_see_me path only explicitly specifies
jon, we are ok...)
Kevin R.
Received on 2011-04-27 01:27:29 CEST