[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Limited subdirectory access

From: Stefan Sperling <stsp_at_elego.de>
Date: Tue, 31 Jan 2012 14:45:30 +0100

On Tue, Jan 31, 2012 at 05:22:15AM -0800, K F wrote:
> I tried without anything and still no good
>
> [/DEF]
> @dev =
> @dev1 = rw
>
>
> I have setup a test repo called sandbox with some subdirectories. Here is my authz file minus all the commented out lines:
>
> [aliases]
>
> [groups]
> dev = rcrespo, test
> dev1 = test
> qa = qagroup
>
> [/DEF]
> @dev =
> @dev1 = rw
>
> [/]
> @dev = rw
> @qa = r
>
> I am still able to commit files in the DEF directory using the rcrespo login.

Hmmm... I think you'll have to revoke the dev's group rw access on the root.
Then grant write permissions to subtrees individually. I suspect this is
because permissions for all path components are combined to form the final
set of permissions for a given full path.

The book was wrong about this for a long time.
It claimed that permissions for earlier components of a path were
overridden by permissions for later components, which is incorrect.

When the error was found we decided to change the book instead of
changing to code to avoid breaking existing authz setups that rely
on this behaviour.
This snippet from the book tries to explain this. But it's not very
clear because it only talks about individual users vs. group
permissions:

  "Another important fact is that group permissions are not overridden by
  individual user permissions. Rather, the combination of all matching
  permissions is granted. In the prior example, Jane is a member of the
  paint-developers group, which has read/write access. Combined with the
  jane = r rule, this still gives Jane read/write access. Permissions for
  group members can only be extended beyond the permissions the group
  already has. Restricting users who are part of a group to less than
  their group's permissions is impossible."
  http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html

I suspect the same holds for group vs. group permissions, i.e. you cannot
restrict permissions for the 'dev' group anywhere in the tree since
you've already granted rw permissions on the root folder.

So, assuming your 'dev' group is working in subtrees /ABC and /GHI
I think you'll need:

 [groups]
 dev = rcrespo, test
 dev1 = test
 qa = qagroup
 
 [/]
 # no access at all for 'dev' at the root:
 @dev =
 @qa = r
 
 [/DEF]
 # the following commented line is now implied so not needed:
 #@dev =
 @dev1 = rw
 
 # grant 'dev' read-write on subtrees they need:
 [/ABC]
 @dev = rw
 [/GHI]
 @dev = rw

Does this work as expected?
Received on 2012-01-31 14:46:07 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.