You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Lukas Ruf <ru...@rawip.org> on 2004/04/19 12:32:51 UTC
commit-access-control vs. AuthzSVNAccessFile
Dear all,
fiddling around with subversion, appreciating subversion more
everyday, I stumbled over AuthzSVNAccessFile in the subversion book.
It has risen the following questions in mind:
- AuthzSVNAccessFile sections:
Am I right that the sections support perl-regex as well?
i.e.:
[repos:/[a-e]]
* =
[repos:/[f-i]]
* = r
[repos:/[j-z]]
* = rw
would deny access completely to the projects a to e, allow read
access to all projects f to i, and read-write access to the projects
j to z.
- Is there any fundamental difference from a user perspective between
AuthzSVNAccessFile and commit-access-control except that
AuthzSVNAccessFile is more powerful by that it allows also to deny
access to a project completely?
- Am I right that I do not need to restart apache2 every time I
modified anything in an access control file of AuthzSVNAccessFile?
- Parent directories must be accessible if a directory must be
accessed?
i.e.:
[repos:/[a-e]]
* = r
[repos:/[a-e]/input]
* = rw
would work
while
[repos:/[a-e]]
* =
[repos:/[a-e]/input]
* = rw
wouldn't?
Thanks for any clarification!
wbr,
Lukas
--
Lukas Ruf | Wanna know anything about raw |
<http://www.lpr.ch> | IP? -> <http://www.rawip.org> |
eMail Style Guide: <http://www.rawip.org/style.html>|
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: commit-access-control vs. AuthzSVNAccessFile
Posted by Lukas Ruf <ru...@rawip.org>.
Thanks for the reply!
> Ben Collins-Sussman <su...@collab.net> [2004-04-19 15:31]:
>
> Lukas Ruf wrote:
>
>
> >- AuthzSVNAccessFile sections:
> > Am I right that the sections support perl-regex as well?
> > i.e.:
> >
> > [repos:/[a-e]]
> > * =
> >
> > [repos:/[f-i]]
> > * = r
> >
> > [repos:/[j-z]]
> > * = rw
> >
>
> No, you cannot put any regexps or pattern-matching expressions into the
> square-bracket sections.
>
>
ok, I see. I made the mistake by first putting
[/]
* = r
which then overruled the erroneous entries.
It seems that I have to live with it.
Thanks!
wbr,
Lukas
--
Lukas Ruf | Wanna know anything about raw |
<http://www.lpr.ch> | IP? -> <http://www.rawip.org> |
eMail Style Guide: <http://www.rawip.org/style.html>|
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: commit-access-control vs. AuthzSVNAccessFile
Posted by Ben Collins-Sussman <su...@collab.net>.
Lukas Ruf wrote:
> - AuthzSVNAccessFile sections:
> Am I right that the sections support perl-regex as well?
> i.e.:
>
> [repos:/[a-e]]
> * =
>
> [repos:/[f-i]]
> * = r
>
> [repos:/[j-z]]
> * = rw
>
No, you cannot put any regexps or pattern-matching expressions into the
square-bracket sections.
> - Is there any fundamental difference from a user perspective between
> AuthzSVNAccessFile and commit-access-control except that
> AuthzSVNAccessFile is more powerful by that it allows also to deny
> access to a project completely?
Correct. The user doesn't know which authz system the server is using.
(By the way, the third choice is svnperms.py.)
>
> - Am I right that I do not need to restart apache2 every time I
> modified anything in an access control file of AuthzSVNAccessFile?
>
Correct.
> - Parent directories must be accessible if a directory must be
> accessed?
> i.e.:
> [repos:/[a-e]]
> * = r
>
> [repos:/[a-e]/input]
> * = rw
>
> would work
>
> while
>
> [repos:/[a-e]]
> * =
>
> [repos:/[a-e]/input]
> * = rw
>
> wouldn't?
No, the second one would work as well. The rules "stack" from highest
level to lowest level, overriding each other as more fine-tuned
exceptions. In your second example, nobody can access /apple, but
there's a second rule which overrides the first rule for the path
/apple/input, which everyone can access.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org