Author: stsp
Date: Sat Jan 30 10:14:29 2021
New Revision: 1886050
URL: http://svn.apache.org/viewvc?rev=1886050&view=rev
Log:
* staging/docs/release-notes/1.14.html
(compat-misc-authz): Add authz ruleset example for issue 4762 fix.
Modified:
subversion/site/staging/docs/release-notes/1.14.html
Modified: subversion/site/staging/docs/release-notes/1.14.html
URL:
http://svn.apache.org/viewvc/subversion/site/staging/docs/release-notes/1.14.html?rev=1886050&r1=1886049&r2=1886050&view=diff
==============================================================================
--- subversion/site/staging/docs/release-notes/1.14.html (original)
+++ subversion/site/staging/docs/release-notes/1.14.html Sat Jan 30 10:14:29
2021
@@ -226,7 +226,7 @@ users. We'll cover those in this sectio
<p>A fix for <a
href="https://issues.apache.org/jira/browse/SVN-4762?issueNumber=4762";
>Issue #4762</a> may change the way path-based authorization rules are applied
-in some circumstances.</p>
+in some circumstances. See <a
href="http://svn.apache.org/r1882326";>r1882326</a>.</p>
<p>Background: Subversion 1.10 introduced a new implementation of path-based
authorization (authz) to deliver wildcard support and improved performance
@@ -236,20 +236,68 @@ rules: if a global rule and a per-reposi
path, the global rule would be ignored and the per-repository rule would
apply by itself. As a result, from Subversion 1.10 through 1.14.0, it was not
possible to override per-path access rules for specific users (or groups) at
-the global level.</p>
-
-<p>This issue is fixed in 1.14.1, making it possible once again to override
-per-path access rules for specific users (and groups) at the global level.
-Such global rules are overridden by repository-specific rules only if
-both the user and the path match the repository-specific rule.</p>
-
-<p class="todo">TODO: Show examples of authz syntax and explain how they are
-interpreted before and after the fix.</p>
-
-<p>Administrators whose authz rules rely on the incorrect behavior in 1.10
-through 1.14.0 may need to adjust their rules accordingly.</p>
-
-<p>See <a href="http://svn.apache.org/r1882326";>r1882326</a>.
+the global level. Administrators whose authz rules rely on this incorrect
+behavior may need to adjust their rules accordingly.
+</p>
+
+<p>This issue is fixed in 1.10.7 and 1.14.1, making it possible once again to
+override per-path access rules for specific users (and groups) at the global
level.
+Such global rules are overridden by repository-specific rules only if both the
+user and the path match the repository-specific rule.</p>
+
+<p>As an example, consider the following rule set:</p>
+
+<pre>
+[groups]
+company = developer1, developer2, developer3
+customer = customer1, customer2
+
+# company can read-write on everything
+[/]
+@company = rw
+
+[project1:/]
+@customer = r
+</pre>
+
+<p>
+Does <tt>developer1</tt> have <tt>rw</tt> access to <tt>"/trunk"</tt> in
<tt>project1</tt>?
+</p>
+
+<p>
+Subversion servers running 1.10.0 up to 1.10.6 or 1.14.0, without the fix for
+<a href="https://issues.apache.org/jira/browse/SVN-4762?issueNumber=4762";
+>issue #4762</a>, will only apply the repository-specific part of the rule
set:</p>
+<pre>
+[project1:/]
+@customer = r
+</pre>
+<p>
+The answer in this case is that <tt>developer1</tt> has no access at all
because the
+global rule which grants <tt>rw</tt> access to the <tt>@company</tt> group is
ignored.
+</p>
+
+<p>
+Subversion servers running 1.10.7 or 1.14.1 or later match the behaviour of
+Subversion 1.9, meaning they will apply both the global and the
repository-specific
+part of the rule set:</p>
+<pre>
+# company can read-write on everything
+[/]
+@company = rw
+
+[project1:/]
+@customer = r
+</pre>
+<p>
+The answer in this case is that <tt>developer1</tt> has <tt>rw</tt> access
+to any path in <tt>project1</tt>.
+Global rules are overridden by repository-specific rules only if both the
+user (<tt>developer1</tt>) and the path (<tt>"/"</tt>, including child paths
+for which no specific rules exist) match the repository-specific rule.
+While the repository-specific rule matches <tt>"/trunk"</tt> it does not
+match <tt>developer1</tt>, and hence the global rule will be used.
+</p>
</div> <!-- compat-misc-authz -->
