[svnbook] r3728 committed - Fix the long-standing authz documentation bug regarding group permissi...

svnbook at googlecode.com svnbook at googlecode.com
Sun May 2 06:33:49 CDT 2010


Revision: 3728
Author: stsp at elego.de
Date: Sun May  2 04:33:06 2010
Log: Fix the long-standing authz documentation bug regarding group  
permissions.
This was tracked in the book's issue tracker as issue #71. This commit
is based on the patch attached to that issue.

See this post and follow-ups for related discussion:
   Date: Thu, 14 Jan 2010 22:16:35 +0000
   From: Philip Martin <philip at codematters.co.uk>
   To: dev at subversion.apache.org
   Subject: Multiple matching lines in authz file
   Message-ID: <877hrkmiws.fsf at stat.home.lan>
   http://svn.haxx.se/dev/archive-2010-01/0340.shtml

I also discussed this with striker (who wrote a lot of the initial authz
code) at the Apache Retreat. He confirmed that this was a documentation bug,
rather than a bug in the implementation.

* src/en/book/ch06-server-configuration.xml:
   (svn.serverconfig.pathbasedauthz): Group permissions can only be
    extended, not restricted, for individual group members. Document
    this correctly, rather than claiming the opposite was true.

Patch by: Mark Cammidge
(tweaked by me)

http://code.google.com/p/svnbook/source/detail?r=3728

Modified:
  /trunk/src/en/book/ch06-server-configuration.xml

=======================================
--- /trunk/src/en/book/ch06-server-configuration.xml	Thu Feb 18 09:57:58  
2010
+++ /trunk/src/en/book/ch06-server-configuration.xml	Sun May  2 04:33:06  
2010
@@ -3111,13 +3111,15 @@
  @paint-developers = rw
  </screen>

-    <para>Another important fact is that
-    the <emphasis>first</emphasis> matching rule is the one which gets
-    applied to a user.  In the prior example, even though Jane is a
-    member of the <literal>paint-developers</literal> group (which has
-    read/write access), the <literal>jane = r</literal> rule will be
-    discovered and matched before the group rule, thus denying Jane
-    write access.</para>
+    <para>Another important fact is that group permissions are not
+    overridden by individual user permissions. Rather, the
+    <emphasis>combination</emphasis> of all matching permissions is
+    granted.  In the prior example, Jane is a member of the
+    <literal>paint-developers</literal> group, which has read/write access.
+    Combined with the <literal>jane = r</literal> rule, this still gives
+    Jane read/write access.  Permissions for group members can only be  
extended
+    beyond the permissions the group already has. Restricting users who are
+    part of a group to less than their group's permissions is  
impossible.</para>

      <para>Groups can also be defined to contain other groups:</para>





More information about the svnbook-dev mailing list