On Sun, 2006-06-04 at 17:14 +0200, Benoît Dejean wrote:
> Hey, i'm running a 0.26 server like this :
>
> $MTN --db=$DB serve 'fr.placenet*'
>
> with read-permissions :
> comment "Placenet Fr"
> pattern "fr.placenet*"
> allow "[EMAIL PROTECTED]"
> allow "[EMAIL PROTECTED]"
> allow "[EMAIL PROTECTED]"
>
> and write-permissions :
>
> [EMAIL PROTECTED]
> [EMAIL PROTECTED]
> [EMAIL PROTECTED]
>
>
> I'm totally lost because this afternoon user [EMAIL PROTECTED] was
> able to push 'cyp.stage' on the server ... how can that be ? how can i
> restrict a server to deal only with 'fr.placenet*' ? What the point in
> allowing people to push whatever branches they want but without being
> able to pull them later ?
>
> log says :
> mtn: allowed '[EMAIL PROTECTED]' read permission for 'cyp.stage'
> excluding ''
> mtn: allowed '[EMAIL PROTECTED]' write permission for 'cyp.stage'
> excluding ''
Write permissions really are anything-or-nothing.
It denies permission if what they want to sync includes a branch that
you already have, that either doesn't match what's being served or that
they aren't allowed to read.
In this case, their include pattern ("cyp.stage") didn't match anything
on your server, so it had no reason to say "no, you can't look at
that" (since there wasn't anything to look at). In particular, netsync
does not see cyp.stage as a branch name, it sees it as a pattern to
match branches against. Since the server doesn't have any branches that
match this pattern, it doesn't have anything to prohibit the client from
reading.
They won't be able to sync that branch again, since sync is r/w and
they're not allowed to read that branch. They also won't be able to push
it again, but this is more because read permissions are always checked
(even if they're doing write-only), which IMHO is a bug.
Tim
_______________________________________________
Monotone-devel mailing list
Monotone-devel@nongnu.org
http://lists.nongnu.org/mailman/listinfo/monotone-devel
