On 16.01.2015 08:06, Tom Ghyselinck wrote: > Hi, > > We are using subversion 1.8.8 (r1568071) server on Ubuntu 14.04. > > I need to add "$authenticated" to the group since this is required for > our company generic group definitions.
I'm having a hard time understanding this requirement. Any concrete user or group you mention in a rule will only take effect for authenticated connections anyway. > We created an authz file with group definitions as follows: > > [groups] > myreaders = $authenticated > > [/] > * = > > [/path1] > $authenticated = r > > [/path2] > @myreaders = r > > [/path3] > # I know, this is actually a user definition > myreaders = r > > > It looks like it is not possible or not allowed to add the > "$authenticated" token to a group definition: > - Using it in /path1 is fine (as documented) > - I expect it also to work in /path2, but it's not. > > $ /usr/bin/svnauthz accessof --username=someuser --path=/path1 > ~/test.authz > r > > $ /usr/bin/svnauthz accessof --username=someuser --path=/path2 > ~/test.authz > no > > $ /usr/bin/svnauthz accessof --username=someuser --path=/path3 > ~/test.authz > no > > $ /usr/bin/svnauthz accessof --username=myreaders --path=/path1 > ~/test.authz > r > > $ /usr/bin/svnauthz accessof --username=myreaders --path=/path2 > ~/test.authz > no > > $ /usr/bin/svnauthz accessof --username=myreaders --path=/path3 > ~/test.authz > # (Here it matches the "user" myreaders) > r > > > I couldn't find any documentation whether or not it is possible and/or > allowed. If you read http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html you'll find that you can define groups that contain users, aliases and other groups. $authenticated and $anonymous are magic tokens that do not belong to any of those categories. The point is that group memberships are completely defined when the authz file is parsed, but $authenticated and $anonymous do not refer to users but to connection states when the authorization check is being done. > Can someone confirm if this is expected to work or not? It is not expected to work. > If not, is there a workaround to add "$authenticated" to a group? You don't need a workaround. Just change your configuration like this, for example: [/path2] @myreaders = r $authenticated = r But, as I said above: this is redundant. The "@myreaders=r" entry only takes effect if the connection is authenticated; if it's an anonymous connection, there's no user name and therefore no group membership, so you may as well omit the "@myreaders=r" entry from the authz rule. -- Brane
