0

I have several repositories and users set up via CollabNet Subversion Edge. I am trying to learn a bit about restricting access to a few of our repositories to only a few users, and I am running into some problems. For example, I have the following rules set:

[groups]
engineers = alexa, miked
dtil = user1, user2, user3

[/]
* = rw

[PermissionsTest:/]
~@engineers =

What I want to do is leave the other repositories alone (let anybody read or write to it, hence why I left [/] * = rw), but be able to restrict PermissionsTest in this case to just one user group. However, I can still check out and update the code in PermissionsTest as another user who is not in the engineers group.

Is it even possible to to restrict repository access with one rule? Or do I explicitly have to give access to users and groups to each repository to make this work?

codewario
  • 548
  • 3
  • 16
  • 36

2 Answers2

1

Subversion access control is inherited from higher levels if there isn't an explicit match at the level you want. In your case the group dtil is implicitly granted rw to the test repository since it already has rw on the parent.

If you have a model whereby most of your repositories are rw with a few restricted ones, then you have to take care to explicitly deny those users and groups that might have permissions higher up:

[PermissionsTest:/]
~@engineers =
* =

Clean enough in your case, but as you can imagine it'll get very messy if you've got a lot of groups and repositories to look after; having to explicitly deny access is never a good approach. I'd recommend removing that lop level * = rw default and adding it back in as a policy default only to the repositories you want to be open (Principle of least privilege). It might make your config a little bigger, but it's the safer route.

SmallClanger
  • 9,127
  • 1
  • 32
  • 47
0

Remove this first

[/]

* = rw

and give user permissions for projects explicitly.

Renju chingath
  • 123
  • 2
  • 13