Deny/Exclude Rules Help

103 views
Skip to first unread message

Daniel Bingham

unread,
Jan 4, 2011, 4:04:46 PM1/4/11
to gito...@googlegroups.com
I see in the example.conf that it says: "do not use `@all` when your config has any deny rules; it won't work as you probably expect it to!"

How do I expect it to work? And how does it actually work?

What I want to achieve is something along these lines:

repo myRepo
- master = @restricted
RW master = @all

Since order matters with deny rules, I figured that would essentially make all users in the @restricted group have read-only, while everyone else got RW. Is that not correct?

Thanks.

Daniel

Sitaram Chamarty

unread,
Jan 4, 2011, 4:47:13 PM1/4/11
to Daniel Bingham, gito...@googlegroups.com
On Tue, Jan 04, 2011 at 03:04:46PM -0600, Daniel Bingham wrote:
> I see in the example.conf that it says: "do not use `@all`
> when your config has any deny rules; it won't work as you
> probably expect it to!"

actually, that should not be true anymore. The trouble with
writing so much documentation, (even inline documentation in
conf file) is that as the code improves, one forgets to
update everything :(

> What I want to achieve is something along these lines:
>
> repo myRepo
> - master = @restricted
> RW master = @all
>
> Since order matters with deny rules, I figured that would
> essentially make all users in the @restricted group have
> read-only, while everyone else got RW. Is that not
> correct?

should work. Try it and report back. I'll make a note to
myself to update the doc.

Sitaram Chamarty

unread,
Jan 4, 2011, 5:42:02 PM1/4/11
to Daniel Bingham, gito...@googlegroups.com
On Wed, Jan 05, 2011 at 03:17:13AM +0530, Sitaram Chamarty wrote:
> On Tue, Jan 04, 2011 at 03:04:46PM -0600, Daniel Bingham wrote:
> > repo myRepo
> > - master = @restricted
> > RW master = @all

actually, that would always have worked, even when that
documentation was valid (that @all should not be used with
deny's).

The implementation before v1.5 was such that @all rules were
always applied *last*, thus breaking the "order matters"
logic. Your example had @all at the end anyway, so it would
have worked from day one of "deny rules" existence.

I had decided not to document what I felt was an
implementation detail that might change, and instead warned
people off the whole issue :)

Of course this got fixed a bit before v1.5 but I forgot to
fix the inline doc in the conf.

Here's an example of what would not have worked, before
v1.5:

@restricted = u1 u2
repo r1
RW master = @all
- master = @restricted
RW+ master = @all

where you want restricted folks to get write but not rewind
access. Before v1.5, this would have prevented users u1 and
u2 from doing any writes to master, even ff writes.

HTH

Sitaram

Daniel Bingham

unread,
Jan 5, 2011, 12:24:18 PM1/5/11
to Sitaram Chamarty, gito...@googlegroups.com
Makes sense. The config does seem to be working. If I run into any trouble, I'll hit up the list again.

Thanks!

Daniel

Reply all
Reply to author
Forward
0 new messages