# HG changeset patch # User Paul Crowley # Date 1208868679 -3600 # Node ID 2c4f499ea12f5d35bbf0511910650810fed60f9e # Parent 9d78dca32325a1eec7dfc0ca25f66d8ed836a3aa Explain limitations of branch/file rule combination diff -r 9d78dca32325 -r 2c4f499ea12f README --- a/README Tue Apr 22 13:23:07 2008 +0100 +++ b/README Tue Apr 22 13:51:19 2008 +0100 @@ -174,6 +174,22 @@ - For similar reasons, don't give "init" rules file conditions. +- Don't try to deny write access to a particular file on a particular +branch - a developer can write to the file on another branch and then +merge it in. Either deny all writes to the branch from that user, or +allow them to write to all the files they can write to on any branch. +In other words, something like this will have the intended effect + + write user=docs/* branch=docs file=docs/* + +But something like this will not have the intended effect; it will +effectively allow these users to write to any file on any branch, by +writing it to "docs" first: + + write user=docs/* branch=docs + write user=docs/* file=docs/* + read user=docs/* + LOCKING YOURSELF OUT If you find yourself "locked out" - that is, that you no longer have