[svnbook] r3728 committed - Fix the long-standing authz documentation bug regarding group permissi...
svnbook at googlecode.com
svnbook at googlecode.com
Sun May 2 06:33:49 CDT 2010
Revision: 3728
Author: stsp at elego.de
Date: Sun May 2 04:33:06 2010
Log: Fix the long-standing authz documentation bug regarding group
permissions.
This was tracked in the book's issue tracker as issue #71. This commit
is based on the patch attached to that issue.
See this post and follow-ups for related discussion:
Date: Thu, 14 Jan 2010 22:16:35 +0000
From: Philip Martin <philip at codematters.co.uk>
To: dev at subversion.apache.org
Subject: Multiple matching lines in authz file
Message-ID: <877hrkmiws.fsf at stat.home.lan>
http://svn.haxx.se/dev/archive-2010-01/0340.shtml
I also discussed this with striker (who wrote a lot of the initial authz
code) at the Apache Retreat. He confirmed that this was a documentation bug,
rather than a bug in the implementation.
* src/en/book/ch06-server-configuration.xml:
(svn.serverconfig.pathbasedauthz): Group permissions can only be
extended, not restricted, for individual group members. Document
this correctly, rather than claiming the opposite was true.
Patch by: Mark Cammidge
(tweaked by me)
http://code.google.com/p/svnbook/source/detail?r=3728
Modified:
/trunk/src/en/book/ch06-server-configuration.xml
=======================================
--- /trunk/src/en/book/ch06-server-configuration.xml Thu Feb 18 09:57:58
2010
+++ /trunk/src/en/book/ch06-server-configuration.xml Sun May 2 04:33:06
2010
@@ -3111,13 +3111,15 @@
@paint-developers = rw
</screen>
- <para>Another important fact is that
- the <emphasis>first</emphasis> matching rule is the one which gets
- applied to a user. In the prior example, even though Jane is a
- member of the <literal>paint-developers</literal> group (which has
- read/write access), the <literal>jane = r</literal> rule will be
- discovered and matched before the group rule, thus denying Jane
- write access.</para>
+ <para>Another important fact is that group permissions are not
+ overridden by individual user permissions. Rather, the
+ <emphasis>combination</emphasis> of all matching permissions is
+ granted. In the prior example, Jane is a member of the
+ <literal>paint-developers</literal> group, which has read/write access.
+ Combined with the <literal>jane = r</literal> rule, this still gives
+ Jane read/write access. Permissions for group members can only be
extended
+ beyond the permissions the group already has. Restricting users who are
+ part of a group to less than their group's permissions is
impossible.</para>
<para>Groups can also be defined to contain other groups:</para>
More information about the svnbook-dev
mailing list