On Tue, Jan 31, 2012 at 05:22:15AM -0800, K F wrote:
> I tried without anything and still no good
>
> [/DEF]
> @dev =
> @dev1 = rw
>
>
> I have setup a test repo called sandbox with some subdirectories. Here is my authz file minus all the commented out lines:
>
> [aliases]
>
> [groups]
> dev = rcrespo, test
> dev1 = test
> qa = qagroup
>
> [/DEF]
> @dev =
> @dev1 = rw
>
> [/]
> @dev = rw
> @qa = r
>
> I am still able to commit files in the DEF directory using the rcrespo login.
Hmmm... I think you'll have to revoke the dev's group rw access on the root.
Then grant write permissions to subtrees individually. I suspect this is
because permissions for all path components are combined to form the final
set of permissions for a given full path.
The book was wrong about this for a long time.
It claimed that permissions for earlier components of a path were
overridden by permissions for later components, which is incorrect.
When the error was found we decided to change the book instead of
changing to code to avoid breaking existing authz setups that rely
on this behaviour.
This snippet from the book tries to explain this. But it's not very
clear because it only talks about individual users vs. group
permissions:
"Another important fact is that group permissions are not overridden by
individual user permissions. Rather, the combination of all matching
permissions is granted. In the prior example, Jane is a member of the
paint-developers group, which has read/write access. Combined with the
jane = r rule, this still gives Jane read/write access. Permissions for
group members can only be extended beyond the permissions the group
already has. Restricting users who are part of a group to less than
their group's permissions is impossible."
http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html
I suspect the same holds for group vs. group permissions, i.e. you cannot
restrict permissions for the 'dev' group anywhere in the tree since
you've already granted rw permissions on the root folder.
So, assuming your 'dev' group is working in subtrees /ABC and /GHI
I think you'll need:
[groups]
dev = rcrespo, test
dev1 = test
qa = qagroup
[/]
# no access at all for 'dev' at the root:
@dev =
@qa = r
[/DEF]
# the following commented line is now implied so not needed:
#@dev =
@dev1 = rw
# grant 'dev' read-write on subtrees they need:
[/ABC]
@dev = rw
[/GHI]
@dev = rw
Does this work as expected?
Received on 2012-01-31 14:46:07 CET