[svnbook commit] r3094 - trunk/src/en/book
l-svndev at pgl22.co.uk
Sun Jun 1 10:45:27 CDT 2008
On Sun, 1 Jun 2008, sussman wrote:
> Author: sussman
> Date: Sun Jun 1 10:01:44 2008
> New Revision: 3094
> Modified: trunk/src/en/book/ch06-server-configuration.xml
> - at paint-developers = rw
> jane = r
> + at paint-developers = rw
> + <para>Another important fact is that
> + the <emphasis>first</emphasis> matching rule is the one which gets
> + applied to a user. In the prior example, even though Jane is a
> + member of the <literal>paint-developers</literal> group (which has
> + read-write access), the <literal>jane = r</literal> rule will be
> + discovered and matched before the group rule, thus denying Jane
> + write access.</para>
I'm not sure that this is correct. I tried with a small authz file, and
the order of the lines within a section didn't appear to matter.
Instead, the user seemed to always get the *most* permissive rights
assigned to them in a section. I couldn't reduce rights via a specific
user= line, but only increase them!
I had a look at subversion/libsvn_repos/authz.c, and I reckon what
is happening is this:
svn_config_enumerate2 is calling authz_parse_line multiple times.
authz_parse line never returns FALSE, so it always keeps going.
So, after it has parsed the whole section, in the authz baton there will
b->allow = svn_authz_read & svn_authz_write (from the group=rw)
b->deny = svn_authz_write (from jane=r)
Then, based on this:
authz_access_is_determined returns TRUE and
authz_access_is_granted returns TRUE, for an attempted write.
Does that make sense?
More information about the svnbook-dev