Stefan Sperling <stsp_at_elego.de> writes:
> On Tue, Jan 31, 2012 at 05:22:15AM -0800, K F wrote:
>> [groups]
>> dev = rcrespo, test
>> dev1 = test
>> qa = qagroup
>>
>> [/DEF]
>> @dev =
>> @dev1 = rw
>>
>> [/]
>> @dev = rw
>> @qa = r
>>
>> I am still able to commit files in the DEF directory using the rcrespo login.
>
> Hmmm... I think you'll have to revoke the dev's group rw access on the root.
> Then grant write permissions to subtrees individually. I suspect this is
> because permissions for all path components are combined to form the final
> set of permissions for a given full path.
>
> The book was wrong about this for a long time.
> It claimed that permissions for earlier components of a path were
> overridden by permissions for later components, which is incorrect.
I think that's misleading. The error in the book involved a user
matching multiple lines for a single location, like the user 'test'
above. When that happens the user gets the union of all the
permissions, the book mistakenly claimed the first matching line was
used.
Using the rules above in a file z.z:
$ tools/server-side/svnauthz-validate z.z rcrespo /ABC
user 'rcrespo' has rw access to '/ABC'
$ tools/server-side/svnauthz-validate z.z rcrespo /DEF
user 'rcrespo' has no access to '/DEF'
$ tools/server-side/svnauthz-validate z.z test /DEF
user 'test' has rw access to '/DEF'
It appears the authz file is correct and denies rcrespo access to /DEF.
I suspect the problem is a failure to enable authz at all--editing the
wrong config file, accessing the wrong repository, failed to restart
apache, something like that.
--
Philip
Received on 2012-01-31 15:01:25 CET