subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bob Archer <Bob.Arc...@amsi.com>
Subject RE: Granting full access to a directory, readonly access to path to directory, deny access to rest of tree?
Date Thu, 05 Aug 2010 16:26:47 GMT
> Suppose I have a bunch of projects, and I want to grant full access
> to a group, but no access to anything else.  Please don't call me
> anti-social.
> 
> /trunk/proja
> /trunk/projb
> /trunk/projc
> 
> I want to grant full access to proja to groupa, but no access to
> the others.  How can I do this?
> 
> [repo:/]
> @groupa = r
> @others = rw
> 
> [repo:/trunk/proja]
> @groupa = rw
> 
> [repo:/trunk/projb]
> @groupa =
> 
> [repo:/trunk/projc]
> @groupa =
> 
> However, this does not scale well.  When I add projd, I need to
> make sure that I remove access (@groupa=;) for all the groups that
> should not have access.  That is, I am practicing negative access
> control (deny access), which is error prone.
> 
> Is there a way for the permissions to not be recursive, so that I
> could grant @groupa access to / without it applying to /**?
> 
> We could reorg the repo (/trunk/secret and /trunk/groupa), but that
> seems like the tail wagging the dog (security issues dictating repo
> layout).
> 

How about something like:

[repo:/]
@groupa = 
@others = rw
 
[repo:/trunk/proja]
@groupa = rw
 

This way groupa has no rights to root... and rw to /trunk/proja.

I'm pretty sure this works... although there was a bug with the group being able to create
a branch in their allowed path if they didn't have read access to root. However, I think this
was fixed in a recent version .10 or newer perhaps. You can check the change logs.

If other are everyone else I think you can even do:

[repo:/]
@groupa = 
* = rw
 
[repo:/trunk/proja]
@groupa = rw

But, not sure, you would have to test.

BOb


Mime
View raw message