I have several repositories and users set up via CollabNet Subversion Edge. I am trying to learn a bit about restricting access to a few of our repositories to only a few users, and I am running into some problems. For example, I have the following rules set:
[groups]
engineers = alexa, miked
dtil = user1, user2, user3
[/]
* = rw
[PermissionsTest:/]
~@engineers =
What I want to do is leave the other repositories alone (let anybody read or write to it, hence why I left [/] * = rw), but be able to restrict PermissionsTest in this case to just one user group. However, I can still check out and update the code in PermissionsTest as another user who is not in the engineers group.
Is it even possible to to restrict repository access with one rule? Or do I explicitly have to give access to users and groups to each repository to make this work?
Best Answer
Subversion access control is inherited from higher levels if there isn't an explicit match at the level you want. In your case the group
dtilis implicitly grantedrwto the test repository since it already hasrwon the parent.If you have a model whereby most of your repositories are
rwwith a few restricted ones, then you have to take care to explicitlydenythose users and groups that might have permissions higher up:Clean enough in your case, but as you can imagine it'll get very messy if you've got a lot of groups and repositories to look after; having to explicitly deny access is never a good approach. I'd recommend removing that lop level
* = rwdefault and adding it back in as a policy default only to the repositories you want to be open (Principle of least privilege). It might make your config a little bigger, but it's the safer route.