After much code tracing I think I have this figured out. First, while I *knew* I had authz_module_name set, it was commented out, so there was nothing mysterious there. This explained all my trouble.
The trac authorizer is only checking for read permission. I traced through the logic, and I think it's doing something reasonable. Starting with the path, it looks for config sections that are successively shorter. So for /foo/bar, it looks for /foo/bar and then /foo and then /. (There are also trailing slashes, but I'm ignoring that.) Then, within each section (see _get_section in svn_authz.py), it looks to see if there is a username= line. If there is, the result is used. If not, each group the user is in is checked, and the each one that is other than None is yielded, leading to granting access if the user is a member of any group that can read. So I think biggroup = rw deniedpeople = will result in a user in both groups getting access, and this did happen. But I think it depends on group search order. I'm also not sure if a user with write but not read access will be able to read with trac. That is of course bizarre and maybe doesn't even make sense with subversion. So I'm not 100% sure this is all correct, and I don't even really know what correct is, but it's working for what I need. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Trac Users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/trac-users?hl=en -~----------~----~----~----~------~----~------~--~---
