> Suppose I have a bunch of projects, and I want to grant full access > to a group, but no access to anything else. Please don't call me > anti-social. > > /trunk/proja > /trunk/projb > /trunk/projc > > I want to grant full access to proja to groupa, but no access to > the others. How can I do this? > > [repo:/] > @groupa = r > @others = rw > > [repo:/trunk/proja] > @groupa = rw > > [repo:/trunk/projb] > @groupa = > > [repo:/trunk/projc] > @groupa = > > However, this does not scale well. When I add projd, I need to > make sure that I remove access (@groupa=;) for all the groups that > should not have access. That is, I am practicing negative access > control (deny access), which is error prone. > > Is there a way for the permissions to not be recursive, so that I > could grant @groupa access to / without it applying to /**? > > We could reorg the repo (/trunk/secret and /trunk/groupa), but that > seems like the tail wagging the dog (security issues dictating repo > layout). >
How about something like: [repo:/] @groupa = @others = rw [repo:/trunk/proja] @groupa = rw This way groupa has no rights to root... and rw to /trunk/proja. I'm pretty sure this works... although there was a bug with the group being able to create a branch in their allowed path if they didn't have read access to root. However, I think this was fixed in a recent version .10 or newer perhaps. You can check the change logs. If other are everyone else I think you can even do: [repo:/] @groupa = * = rw [repo:/trunk/proja] @groupa = rw But, not sure, you would have to test. BOb
