doc/manual.docbook
changeset 149 dc4ed4edb458
parent 148 5da43b596bac
child 150 02b464a6b433
equal deleted inserted replaced
148:5da43b596bac 149:dc4ed4edb458
   310 This means that doing tricky things with file conditions can have
   310 This means that doing tricky things with file conditions can have
   311 counterintuitive consequences:
   311 counterintuitive consequences:
   312 </para>
   312 </para>
   313 <itemizedlist>
   313 <itemizedlist>
   314 <listitem>
   314 <listitem>
   315 <para>You cannot limit read access to a subset of a repository with a "read"
   315 <para>You cannot limit read access to a subset of a repository with a <literal>read</literal>
   316 rule and a file condition: any user who has access to a repository can read
   316 rule and a file condition: any user who has access to a repository can read
   317 all of it and its full history. Such a rule can only have the effect of
   317 all of it and its full history. Such a rule can only have the effect of
   318 masking a later "write" rule, as in this example:</para>
   318 masking a later <literal>write</literal> rule, as in this example:</para>
   319 <programlisting>read repo=specialrepo file=dontwritethis
   319 <programlisting>read repo=specialrepo file=dontwritethis
   320 write repo=specialrepo
   320 write repo=specialrepo
   321 </programlisting>
   321 </programlisting>
   322 <para>
   322 <para>
   323 allows all users to read specialrepo, and to write to all files
   323 allows all users to read <literal>specialrepo</literal>, and to write to all files
   324 <emphasis>except</emphasis> that any changeset which writes to
   324 <emphasis>except</emphasis> that any changeset which writes to
   325 <filename>dontwritethis</filename> will be rejected.
   325 <filename>dontwritethis</filename> will be rejected.
   326 </para>
   326 </para>
   327 </listitem>
   327 </listitem>
   328 <listitem>
   328 <listitem>
   329 For similar reasons, don't give <literal>init</literal> rules file conditions.
   329 For similar reasons, don't give <literal>init</literal> rules file conditions.
   330 </listitem>
   330 </listitem>
   331 <listitem>
   331 <listitem>
   332 <para>Don't try to deny write access to a particular file on a particular
   332 <para>Don't try to deny write access to a particular file on a particular
   333 branch - a developer can write to the file on another branch and then merge
   333 branch&#x2014;a developer can write to the file on another branch and then merge
   334 it in. Either deny all writes to the branch from that user, or allow them
   334 it in. Either deny all writes to the branch from that user, or allow them
   335 to write to all the files they can write to on any branch. In other words,
   335 to write to all the files they can write to on any branch.
   336 something like this will have the intended effect:
       
   337 </para>
   336 </para>
   338 <programlisting>write user=docs/* branch=docs file=docs/*
   337 <programlisting>write user=docs/* branch=docs file=docs/*
   339 </programlisting>
   338 </programlisting>
   340 <para>
   339 <para>
   341 But something like this will not have the intended effect; it will
   340 This rule grants users whose keys are in the <filename
   342 effectively allow these users to write to any file on any branch, by
   341 class='directory'>docs</filename> subdirectory the power to push changesets
   343 writing it to "docs" first:
   342 into any repository only if those changesets are on the
       
   343 <literal>docs</literal> branch and they affect only those files directly
       
   344 under the <filename class='directory'>docs</filename> directory. However,
       
   345 the rules below have more counterintuitive consequences.
   344 </para>
   346 </para>
   345 <programlisting>write user=docs/* branch=docs
   347 <programlisting>write user=docs/* branch=docs
   346 write user=docs/* file=docs/*
   348 write user=docs/* file=docs/*
   347 read user=docs/*
   349 read user=docs/*
   348 </programlisting>
   350 </programlisting>
       
   351 <para>
       
   352 These rules grant users whose keys are in the <filename
       
   353 class='directory'>docs</filename> subdirectory the power to change any file directly under the <filename class='directory'>docs</filename> directory, or any file at all in the <literal>docs</literal> branch.  Indirectly, however, this adds up to the power to change any file on any branch, simply by making the change on the docs branch and then merging the change into another branch.
       
   354 </para>
   349 </listitem>
   355 </listitem>
   350 </itemizedlist>
   356 </itemizedlist>
   351 </section>
   357 </section>
   352 </section>
   358 </section>
   353 <section>
   359 <section>