On Tue, Jan 31, 2012 at 05:22:15AM -0800, K F wrote: > I tried without anything and still no good > > [/DEF] > @dev = > @dev1 = rw > > > I have setup a test repo called sandbox with some subdirectories. Here is my > authz file minus all the commented out lines: > > [aliases] > > [groups] > dev = rcrespo, test > dev1 = test > qa = qagroup > > [/DEF] > @dev = > @dev1 = rw > > [/] > @dev = rw > @qa = r > > I am still able to commit files in the DEF directory using the rcrespo login.
Hmmm... I think you'll have to revoke the dev's group rw access on the root. Then grant write permissions to subtrees individually. I suspect this is because permissions for all path components are combined to form the final set of permissions for a given full path. The book was wrong about this for a long time. It claimed that permissions for earlier components of a path were overridden by permissions for later components, which is incorrect. When the error was found we decided to change the book instead of changing to code to avoid breaking existing authz setups that rely on this behaviour. This snippet from the book tries to explain this. But it's not very clear because it only talks about individual users vs. group permissions: "Another important fact is that group permissions are not overridden by individual user permissions. Rather, the combination of all matching permissions is granted. In the prior example, Jane is a member of the paint-developers group, which has read/write access. Combined with the jane = r rule, this still gives Jane read/write access. Permissions for group members can only be extended beyond the permissions the group already has. Restricting users who are part of a group to less than their group's permissions is impossible." http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html I suspect the same holds for group vs. group permissions, i.e. you cannot restrict permissions for the 'dev' group anywhere in the tree since you've already granted rw permissions on the root folder. So, assuming your 'dev' group is working in subtrees /ABC and /GHI I think you'll need: [groups] dev = rcrespo, test dev1 = test qa = qagroup [/] # no access at all for 'dev' at the root: @dev = @qa = r [/DEF] # the following commented line is now implied so not needed: #@dev = @dev1 = rw # grant 'dev' read-write on subtrees they need: [/ABC] @dev = rw [/GHI] @dev = rw Does this work as expected?
