You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Lukas Ruf <ru...@rawip.org> on 2004/04/19 12:32:51 UTC

commit-access-control vs. AuthzSVNAccessFile

Dear all,

fiddling around with subversion, appreciating subversion more
everyday, I stumbled over AuthzSVNAccessFile in the subversion book.

It has risen the following questions in mind:

- AuthzSVNAccessFile sections:
  Am I right that the sections support perl-regex as well?
  i.e.:

    [repos:/[a-e]]
    * =

    [repos:/[f-i]]
    * = r

    [repos:/[j-z]]
    * = rw

  would deny access completely to the projects a to e, allow read
  access to all projects f to i, and read-write access to the projects
  j to z.

- Is there any fundamental difference from a user perspective between
  AuthzSVNAccessFile and commit-access-control except that
  AuthzSVNAccessFile is more powerful by that it allows also to deny
  access to a project completely?

- Am I right that I do not need to restart apache2 every time I
  modified anything in an access control file of AuthzSVNAccessFile?

- Parent directories must be accessible if a directory must be
  accessed?
  i.e.:
    [repos:/[a-e]]
    * = r

    [repos:/[a-e]/input]
    * = rw

    would work

  while

    [repos:/[a-e]]
    * =

    [repos:/[a-e]/input]
    * = rw

    wouldn't?

Thanks for any clarification!

wbr,
Lukas
-- 
Lukas Ruf           | Wanna know anything about raw |
<http://www.lpr.ch> | IP? -> <http://www.rawip.org> |
eMail Style Guide: <http://www.rawip.org/style.html>|

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: commit-access-control vs. AuthzSVNAccessFile

Posted by Lukas Ruf <ru...@rawip.org>.
Thanks for the reply!

> Ben Collins-Sussman <su...@collab.net> [2004-04-19 15:31]:
>
> Lukas Ruf wrote:
>
>
> >- AuthzSVNAccessFile sections:
> >  Am I right that the sections support perl-regex as well?
> >  i.e.:
> >
> >    [repos:/[a-e]]
> >    * =
> >
> >    [repos:/[f-i]]
> >    * = r
> >
> >    [repos:/[j-z]]
> >    * = rw
> >
>
> No, you cannot put any regexps or pattern-matching expressions into the
> square-bracket sections.
>
>

ok, I see.  I made the mistake by first putting
    [/]
    * = r
which then overruled the erroneous entries.
It seems that I have to live with it.

Thanks!

wbr,
Lukas
-- 
Lukas Ruf           | Wanna know anything about raw |
<http://www.lpr.ch> | IP? -> <http://www.rawip.org> |
eMail Style Guide: <http://www.rawip.org/style.html>|

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: commit-access-control vs. AuthzSVNAccessFile

Posted by Ben Collins-Sussman <su...@collab.net>.
Lukas Ruf wrote:


> - AuthzSVNAccessFile sections:
>   Am I right that the sections support perl-regex as well?
>   i.e.:
> 
>     [repos:/[a-e]]
>     * =
> 
>     [repos:/[f-i]]
>     * = r
> 
>     [repos:/[j-z]]
>     * = rw
> 

No, you cannot put any regexps or pattern-matching expressions into the 
square-bracket sections.


> - Is there any fundamental difference from a user perspective between
>   AuthzSVNAccessFile and commit-access-control except that
>   AuthzSVNAccessFile is more powerful by that it allows also to deny
>   access to a project completely?

Correct.  The user doesn't know which authz system the server is using. 
  (By the way, the third choice is svnperms.py.)

> 
> - Am I right that I do not need to restart apache2 every time I
>   modified anything in an access control file of AuthzSVNAccessFile?
>

Correct.


> - Parent directories must be accessible if a directory must be
>   accessed?
>   i.e.:
>     [repos:/[a-e]]
>     * = r
> 
>     [repos:/[a-e]/input]
>     * = rw
> 
>     would work
> 
>   while
> 
>     [repos:/[a-e]]
>     * =
> 
>     [repos:/[a-e]/input]
>     * = rw
> 
>     wouldn't?

No, the second one would work as well.  The rules "stack" from highest 
level to lowest level, overriding each other as more fine-tuned 
exceptions.  In your second example, nobody can access /apple, but 
there's a second rule which overrides the first rule for the path 
/apple/input, which everyone can access.





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org