You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Nico Kadel-Garcia <nk...@comcast.net> on 2006/04/08 15:21:48 UTC
Making tags write-once in Subversion 1.3.x, solved
I'd previously asked if there was a good way to make tags "write-once", to
prevent people editing tags after their creation. Various people sent
pointers to tools and guidelines that all boiled down to "only let
authorized users write to tags". This is not what I was looking for.
However, the svnperms.py and svnperms.conf tools in the current
distributions do *precisely* what I wanted. They allow me to use a
pre-commit to set tags with "add" permissions for everyone, "delete"
permissions for a manager, and no "update" permissions for anyone to prevent
people accidentally stepping on locked down tags. I really approve of this!
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Making tags write-once in Subversion 1.3.x, solved
Posted by Nico Kadel-Garcia <nk...@comcast.net>.
----- Original Message -----
From: "Tony Morris" <tm...@tmorris.net>
To: "Nico Kadel-Garcia" <nk...@comcast.net>
Cc: <us...@subversion.tigris.org>
Sent: Saturday, April 08, 2006 6:37 PM
Subject: Re: Making tags write-once in Subversion 1.3.x, solved
> Nico Kadel-Garcia wrote:
>> I'd previously asked if there was a good way to make tags "write-once",
>> to prevent people editing tags after their creation. Various people sent
>> pointers to tools and guidelines that all boiled down to "only let
>> authorized users write to tags". This is not what I was looking for.
>>
>> However, the svnperms.py and svnperms.conf tools in the current
>> distributions do *precisely* what I wanted. They allow me to use a
>> pre-commit to set tags with "add" permissions for everyone, "delete"
>> permissions for a manager, and no "update" permissions for anyone to
>> prevent people accidentally stepping on locked down tags. I really
>> approve of this!
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
>> For additional commands, e-mail: users-help@subversion.tigris.org
>>
>>
> I may be out of line, but I've always wondered why you need hooks to do
> this. Specifically, why does mod_authz abstract the operations on a
> directory only to read/write? For example, I cannot use my authorization
> policy to allow a user to "add" but not "delete". It seems that there
> should at least be granularity of the usual CRUD operations
> (Create/Read/Update/Delete) instead of rolling the CUD into one "write". I
> assume that these then map to WebDAV operations, which some might argue,
> is the appropriate level of granularity. I'd at least settle for CRUD
> instead of just rw.
I'd have really liked that: it would have saved me from being sent
half-a-dozen really badly written hook scripts. It would also be similarly
useful if the svnserve.conf permissions could be integrated into file-based
access, rather than relying purely on local file permissions. The
discrepancies between HTTPS, svnserve, and local file permissions can cause
some confusion for careless administrators and force them to limit their
clients to one access mode only.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Making tags write-once in Subversion 1.3.x, solved
Posted by Tony Morris <tm...@tmorris.net>.
Nico Kadel-Garcia wrote:
> I'd previously asked if there was a good way to make tags
> "write-once", to prevent people editing tags after their creation.
> Various people sent pointers to tools and guidelines that all boiled
> down to "only let authorized users write to tags". This is not what I
> was looking for.
>
> However, the svnperms.py and svnperms.conf tools in the current
> distributions do *precisely* what I wanted. They allow me to use a
> pre-commit to set tags with "add" permissions for everyone, "delete"
> permissions for a manager, and no "update" permissions for anyone to
> prevent people accidentally stepping on locked down tags. I really
> approve of this!
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>
I may be out of line, but I've always wondered why you need hooks to do
this. Specifically, why does mod_authz abstract the operations on a
directory only to read/write? For example, I cannot use my authorization
policy to allow a user to "add" but not "delete". It seems that there
should at least be granularity of the usual CRUD operations
(Create/Read/Update/Delete) instead of rolling the CUD into one "write".
I assume that these then map to WebDAV operations, which some might
argue, is the appropriate level of granularity. I'd at least settle for
CRUD instead of just rw.
--
Tony Morris
http://tmorris.net/
s/Commonwealth Games/Commonwealth Swimming
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org