--- On Tue, 1/31/12, Philip Martin <philip.mar...@wandisco.com> wrote:
> From: Philip Martin <philip.mar...@wandisco.com> > Subject: Re: Limited subdirectory access > To: "K F" <cmkfo...@yahoo.com> > Cc: "users@subversion.apache.org" <users@subversion.apache.org>, "MarkCooke" > <mark.co...@siemens.com> > Date: Tuesday, January 31, 2012, 2:00 PM > Stefan Sperling <s...@elego.de> > writes: > > > On Tue, Jan 31, 2012 at 05:22:15AM -0800, K F wrote: > >> [groups] > >> dev = rcrespo, test > >> dev1 = test > >> qa = qagroup > >> > >> [/DEF] > >> @dev = > >> @dev1 = rw > >> > >> [/] > >> @dev = rw > >> @qa = r > >> > >> I am still able to commit files in the DEF > directory using the rcrespo login. > > > > Hmmm... I think you'll have to revoke the dev's group > rw access on the root. > > Then grant write permissions to subtrees individually. > I suspect this is > > because permissions for all path components are > combined to form the final > > set of permissions for a given full path. > > > > The book was wrong about this for a long time. > > It claimed that permissions for earlier components of a > path were > > overridden by permissions for later components, which > is incorrect. > > I think that's misleading. The error in the book > involved a user > matching multiple lines for a single location, like the user > 'test' > above. When that happens the user gets the union of > all the > permissions, the book mistakenly claimed the first matching > line was > used. > > Using the rules above in a file z.z: > > $ tools/server-side/svnauthz-validate z.z rcrespo /ABC > user 'rcrespo' has rw access to '/ABC' > $ tools/server-side/svnauthz-validate z.z rcrespo /DEF > user 'rcrespo' has no access to '/DEF' > $ tools/server-side/svnauthz-validate z.z test /DEF > user 'test' has rw access to '/DEF' > > It appears the authz file is correct and denies rcrespo > access to /DEF. > > I suspect the problem is a failure to enable authz at > all--editing the > wrong config file, accessing the wrong repository, failed to > restart > apache, something like that. > > -- > Philip > I verified the file is correct. I tried committing with a login other than rcrespo or test and it does not allow the commit. Apache was restarted and I can still commit with rcrespo. Here is what is in svnserve.conf in case something is set wrong there: [general] anon-access = none auth-access = write password-db = passwd authz-db = authz
