mod_authz_svn Negative Permissions

["Karl M. Davis" <ka...@davisonlinehome.name>]

Hello all,

I would really love to be able to do something like this:
<<
[/]
@partner = 
* = rw

[somerepo:/foo/bar]
@partner = rw

[groups]
partner = bob, fred
>>

Instead, I have to do the following, which will require a lot more maintenance:
<<
[/]
* = 
@internal = rw

[somerepo:/foo/bar]
@partner = rw

[groups]
partner = bob, fred
internal = tom, dick, harry, frank, billy, yadda, etc
>>

Keeping the "internal" group up to date won't be much fun.  Is there any way to make the first config example work?  It would be ideal if there were an option that set things such that the first matching user entry in each section was the one enforced.

This page does a good job of documenting the current behavior: http://www.developingprogrammers.com/index.php/2008/08/13/subversion-acl-permissions-explained/


Thanks in advance,
Karl

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=985928

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

Re: mod_authz_svn Negative Permissions

[km...@rockwellcollins.com]

"Karl M. Davis" <ka...@davisonlinehome.name> wrote on 12/17/2008 12:38:55 
PM:
> Hello all,
> 
> I would really love to be able to do something like this:
> <<
> [/]
> @partner = 
> * = rw
> 
> [somerepo:/foo/bar]
> @partner = rw
> 
> [groups]
> partner = bob, fred
> >>
> 
> Instead, I have to do the following, which will require a lot more 
maintenance:
> <<
> [/]
> * = 
> @internal = rw
> 
> [somerepo:/foo/bar]
> @partner = rw
> 
> [groups]
> partner = bob, fred
> internal = tom, dick, harry, frank, billy, yadda, etc
> >>
> 
> Keeping the "internal" group up to date won't be much fun.  Is there any 
way 
> to make the first config example work?  It would be ideal if there were 
an 
> option that set things such that the first matching user entry in each 
> section was the one enforced.
> 
> This page does a good job of documenting the current behavior: 
http://www.
> 
developingprogrammers.com/index.php/2008/08/13/subversion-acl-permissions-explained/

That is a very interesting website!

I've found using "*" is fairly error prone.  However, if you look at
the subversion/libsvn_repos/repos.c file you will see some additional
information even the book doesn't mention:

"### The authorizations follow. An authorization line can refer to:"
"###  - a single user,"
"###  - a group of users defined in a special [groups] section,"
"###  - an alias defined in a special [aliases] section,"
"###  - all authenticated users, using the '$authenticated' token,"
"###  - only anonymous users, using the '$anonymous' token,"
"###  - anyone, using the '*' wildcard."
"###"
"### A match can be inverted by prefixing the rule with '~'. Rules can"
"### grant read ('r') access, read-write ('rw') access, or no access"

The important things are:

- Prefixing the rule with '~' will invert it.
- $authenticated equates to all authenticated users (not anyone like '*')
- $anonymous equates to only anonymous users

I believe most people would be better served with using the
'$authenticated' and '$anonymous' tokens instead of '*'.

[/]
$authenticated=rw

[/anon]
$anonymous=r

[/hidden_from_bob]
bob=

This will allow all authenticated users (including bob) to
have r/w permissions to the whole repository except bob
does not have access to anything under /hidden_from_bob.
(And anonymous users can read /anon)

NOTE: I didn't actually try the above canned authz file, but
it represents things I've tried in the past.

Kevin R.

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=986810

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].