[svnbook commit] r3094 - trunk/src/en/book
C. Michael Pilato
cmpilato at red-bean.com
Wed Jun 11 20:44:26 CDT 2008
Ben Collins-Sussman wrote:
> On Sun, Jun 1, 2008 at 10:45 AM, Peter Lloyd <l-svndev at pgl22.co.uk> wrote:
>> On Sun, 1 Jun 2008, sussman wrote:
>>> Author: sussman
>>> Date: Sun Jun 1 10:01:44 2008
>>> New Revision: 3094
>>>
>>> Modified: trunk/src/en/book/ch06-server-configuration.xml
>>>
>>> ==============================================================================
>>> [paint:/projects/paint]
>>> - at paint-developers = rw
>>> jane = r
>>> + at paint-developers = rw
>>> </screen>
>>>
>>> + <para>Another important fact is that
>>> + the <emphasis>first</emphasis> matching rule is the one which gets
>>> + applied to a user. In the prior example, even though Jane is a
>>> + member of the <literal>paint-developers</literal> group (which has
>>> + read-write access), the <literal>jane = r</literal> rule will be
>>> + discovered and matched before the group rule, thus denying Jane
>>> + write access.</para>
>>> +
>> Hi,
>>
>> I'm not sure that this is correct. I tried with a small authz file, and the
>> order of the lines within a section didn't appear to matter.
>>
>> Instead, the user seemed to always get the *most* permissive rights assigned
>> to them in a section. I couldn't reduce rights via a specific user= line,
>> but only increase them!
>>
>> I had a look at subversion/libsvn_repos/authz.c, and I reckon what is
>> happening is this:
>>
>> svn_config_enumerate2 is calling authz_parse_line multiple times.
>> authz_parse line never returns FALSE, so it always keeps going.
>> So, after it has parsed the whole section, in the authz baton there will be
>> b->allow = svn_authz_read & svn_authz_write (from the group=rw)
>> b->deny = svn_authz_write (from jane=r)
>>
>> Then, based on this:
>> authz_access_is_determined returns TRUE and
>> authz_access_is_granted returns TRUE, for an attempted write.
>>
>> Does that make sense?
>
> Wow, this is weird. So somehow the user ends up with the "permissive
> union" of all rules? Maybe we should move this discussion to the
> public dev@ list so others can speak up about it.
Did you ever move this discussion to the Subversion dev@ list, Ben? Now's
the time!
--
C. Michael Pilato <cmpilato at red-bean.com> | http://cmpilato.blogspot.com/
"The Christian ideal has not been tried and found wanting. It has
been found difficult; and left untried." -- G. K. Chesterton
More information about the svnbook-dev
mailing list