You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by Rush Manbert <ru...@manbert.com> on 2008/02/09 01:24:20 UTC

Path-based access control seems broken

I have seen a couple of posts on this subject asking whether you could 
use wildcard characters in your authz-db file to generalize the access 
rules.

My question is more general than this. Basically, I need to restrict 
access to a certain directory subtree within our repository so only one 
or two people can access it. (Don't ask why. It's just required.) Let's 
say that the top level of the tree is located at 
/trunk/project/firmware, just to make things simple. I can easily add 
the access restriction for this directory and everything works as I 
would expect.

However, being good Subversionists, we follow the recommended practice 
and make tags and branches by using svn copy. The problem is that there 
will be no access restrictions on the firmware directory tree within the 
copies unless we go back to the authz_db file and add them.

I don't want to start a debate about the cost/benefits/badness/goodness 
of using access controls. But I wonder if there are other people using 
it who agree with me that this behavior seems to be wrong. I would 
expect that if I make a copy of an access-restricted directory the 
access restrictions will be "sticky" (ooh, that sounded sort of CVS-ish, 
didn't it?) and will apply to the copy as well.

Comments?

- Rush

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

RE: Path-based access control seems broken

Posted by Jonathan Ashley <jo...@praxis-his.com>.

> My question is more general than this. Basically, I need to
> restrict access to a certain directory subtree within our
> repository so only one or two people can access it. (Don't
> ask why. It's just required.) Let's say that the top level of
> the tree is located at /trunk/project/firmware, just to make
> things simple. I can easily add the access restriction for
> this directory and everything works as I would expect.
>
> However, being good Subversionists, we follow the recommended
> practice and make tags and branches by using svn copy. The
> problem is that there will be no access restrictions on the
> firmware directory tree within the copies unless we go back
> to the authz_db file and add them.
>
> I don't want to start a debate about the
> cost/benefits/badness/goodness of using access controls. But
> I wonder if there are other people using it who agree with me
> that this behavior seems to be wrong. I would expect that if
> I make a copy of an access-restricted directory the access
> restrictions will be "sticky" (ooh, that sounded sort of
> CVS-ish, didn't it?) and will apply to the copy as well.

Would be nice, but it just doesn't work like that. It's a pain
if you rename folders too - the access rights don't stay with
the folder. I think really the problem is that access
restriction is a bit of a bolt-on, not a prime design goal of
Subversion.

Incidentally, I have a similar problem to yours. I run a
post-commit hook that looks for folder names being added or
removed that match particular patterns, and regenerates the
access control file from a separate file that maps user names
to roles, if needed. Works very well so far.

regards,
--
Jon Ashley


This email is confidential and intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient, be advised that you have received this email in error and that any use, disclosure, copying or distribution or any action taken or omitted to be taken in reliance on it is strictly prohibited. If you have received this email in error please contact the sender. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Praxis. 

Although this email and any attachments are believed to be free of any virus or other defect, no responsibility is accepted by Praxis or any of its associated companies for any loss or damage arising in any way from the receipt or use thereof. The IT Department at Praxis can be contacted at it.support@praxis-his.com.

Praxis High Integrity Systems Ltd:

Company Number: 3302507, registered in England and Wales

Registered Address: 20 Manvers Street, Bath. BA1 1PX

VAT Registered in Great Britain: 682635707


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org