Stefan Sperling <[email protected]> writes: > On Tue, Jan 31, 2012 at 05:22:15AM -0800, K F wrote: >> [groups] >> dev = rcrespo, test >> dev1 = test >> qa = qagroup >> >> [/DEF] >> @dev = >> @dev1 = rw >> >> [/] >> @dev = rw >> @qa = r >> >> I am still able to commit files in the DEF directory using the rcrespo login. > > Hmmm... I think you'll have to revoke the dev's group rw access on the root. > Then grant write permissions to subtrees individually. I suspect this is > because permissions for all path components are combined to form the final > set of permissions for a given full path. > > The book was wrong about this for a long time. > It claimed that permissions for earlier components of a path were > overridden by permissions for later components, which is incorrect.
I think that's misleading. The error in the book involved a user matching multiple lines for a single location, like the user 'test' above. When that happens the user gets the union of all the permissions, the book mistakenly claimed the first matching line was used. Using the rules above in a file z.z: $ tools/server-side/svnauthz-validate z.z rcrespo /ABC user 'rcrespo' has rw access to '/ABC' $ tools/server-side/svnauthz-validate z.z rcrespo /DEF user 'rcrespo' has no access to '/DEF' $ tools/server-side/svnauthz-validate z.z test /DEF user 'test' has rw access to '/DEF' It appears the authz file is correct and denies rcrespo access to /DEF. I suspect the problem is a failure to enable authz at all--editing the wrong config file, accessing the wrong repository, failed to restart apache, something like that. -- Philip
