Hi,
Le 19/03/2015 17:26, Roland Mas a écrit :
Sylvain Beucler - Inria, 2015-03-17 15:40:06 +0100 :
When unifying https and unix permissions, I made the assumption that :
- group 'projname' : read-only access on repos
- group 'scm_projname' : grants read+write access on repos
However, I made some tests and the code currently assumes that :
- group 'projname' : direct project member (whatever the RBAC privs)
- group 'scm_projname' : read+write access on repos
Consequently "read-only access" is currently broken.
Should I go ahead and fix the code to conform to my first assumption
(projname=read-only ?)
Or should rename the groups entirely for clarity ?
- projname_ro
- projname_rw
- (and ditch "projname" for simplicity)
- (and re-chgrp group homedirs)
The _ro/_rw naming convention is fine, but I'm not sure we can enforce
three levels of permissions (rw/ro/none) on the repositories with the
"traditional" Unix filesystem permissions (user/group/other). That
would require ACLs.
No ACL if you're on NFS, but you should check
076a6a8990eca4f0b0bf31ea8fb606024bbacdd4
6ec36e01e5ade1e2ea447b7f4d5967cb496ca6c1
for how I unified said https and unix permissions (with 2 ro/rw
subdirectories).
My question is not really about enforcing the permission (IMHO we just
have to).
It's about whether my proposed change of semantics will break a use case
I'm not aware of?
--
Sylvain
_______________________________________________
Fusionforge-general mailing list
Fusionforge-general@lists.fusionforge.org
http://lists.fusionforge.org/cgi-bin/mailman/listinfo/fusionforge-general
