310 This means that doing tricky things with file conditions can have |
310 This means that doing tricky things with file conditions can have |
311 counterintuitive consequences: |
311 counterintuitive consequences: |
312 </para> |
312 </para> |
313 <itemizedlist> |
313 <itemizedlist> |
314 <listitem> |
314 <listitem> |
315 <para>You cannot limit read access to a subset of a repository with a "read" |
315 <para>You cannot limit read access to a subset of a repository with a <literal>read</literal> |
316 rule and a file condition: any user who has access to a repository can read |
316 rule and a file condition: any user who has access to a repository can read |
317 all of it and its full history. Such a rule can only have the effect of |
317 all of it and its full history. Such a rule can only have the effect of |
318 masking a later "write" rule, as in this example:</para> |
318 masking a later <literal>write</literal> rule, as in this example:</para> |
319 <programlisting>read repo=specialrepo file=dontwritethis |
319 <programlisting>read repo=specialrepo file=dontwritethis |
320 write repo=specialrepo |
320 write repo=specialrepo |
321 </programlisting> |
321 </programlisting> |
322 <para> |
322 <para> |
323 allows all users to read specialrepo, and to write to all files |
323 allows all users to read <literal>specialrepo</literal>, and to write to all files |
324 <emphasis>except</emphasis> that any changeset which writes to |
324 <emphasis>except</emphasis> that any changeset which writes to |
325 <filename>dontwritethis</filename> will be rejected. |
325 <filename>dontwritethis</filename> will be rejected. |
326 </para> |
326 </para> |
327 </listitem> |
327 </listitem> |
328 <listitem> |
328 <listitem> |
329 For similar reasons, don't give <literal>init</literal> rules file conditions. |
329 For similar reasons, don't give <literal>init</literal> rules file conditions. |
330 </listitem> |
330 </listitem> |
331 <listitem> |
331 <listitem> |
332 <para>Don't try to deny write access to a particular file on a particular |
332 <para>Don't try to deny write access to a particular file on a particular |
333 branch - a developer can write to the file on another branch and then merge |
333 branch—a developer can write to the file on another branch and then merge |
334 it in. Either deny all writes to the branch from that user, or allow them |
334 it in. Either deny all writes to the branch from that user, or allow them |
335 to write to all the files they can write to on any branch. In other words, |
335 to write to all the files they can write to on any branch. |
336 something like this will have the intended effect: |
|
337 </para> |
336 </para> |
338 <programlisting>write user=docs/* branch=docs file=docs/* |
337 <programlisting>write user=docs/* branch=docs file=docs/* |
339 </programlisting> |
338 </programlisting> |
340 <para> |
339 <para> |
341 But something like this will not have the intended effect; it will |
340 This rule grants users whose keys are in the <filename |
342 effectively allow these users to write to any file on any branch, by |
341 class='directory'>docs</filename> subdirectory the power to push changesets |
343 writing it to "docs" first: |
342 into any repository only if those changesets are on the |
|
343 <literal>docs</literal> branch and they affect only those files directly |
|
344 under the <filename class='directory'>docs</filename> directory. However, |
|
345 the rules below have more counterintuitive consequences. |
344 </para> |
346 </para> |
345 <programlisting>write user=docs/* branch=docs |
347 <programlisting>write user=docs/* branch=docs |
346 write user=docs/* file=docs/* |
348 write user=docs/* file=docs/* |
347 read user=docs/* |
349 read user=docs/* |
348 </programlisting> |
350 </programlisting> |
|
351 <para> |
|
352 These rules grant users whose keys are in the <filename |
|
353 class='directory'>docs</filename> subdirectory the power to change any file directly under the <filename class='directory'>docs</filename> directory, or any file at all in the <literal>docs</literal> branch. Indirectly, however, this adds up to the power to change any file on any branch, simply by making the change on the docs branch and then merging the change into another branch. |
|
354 </para> |
349 </listitem> |
355 </listitem> |
350 </itemizedlist> |
356 </itemizedlist> |
351 </section> |
357 </section> |
352 </section> |
358 </section> |
353 <section> |
359 <section> |