need/want per module users ... need hints about developing

[wim delvaux]

HI all,

I have the following problem.

a group (g1) of users (e.g u1)  needing access to projects of classes P1 and 
P2
a group (g2) of users (e.g u2) needing access only to projects of class P2.

Solution : create a P1 user (cu1) and a P2 users (cu2) and chown -R all the 
files in the P1 project to cu1 and P2 to cu2.
add entries for u1 and u2 and translate to cu1 and cu2 respectively. give the 
group of cu1 also access to files of group cu2. 

This way cu2 only has access to P2 projects and cu1 has access to both. 

However, when a cu1 user adds a file to a P2 project, the file is owned by cu1
to which cu2 DOES NOT HAVE ACCESS TO.

What is the solution ? Easy : an extension of the CVSROOT/passwd format
Now you can write :

u1:..:cu1

However you will be able to write

u1:...:module1(cu1_module1),module_2(cu1_module2), ....

Meaning that alternate users are assigned per module and per user.

In our example, we would have
u1:...:P1(cu1),P2(cu2)
u2:...:P2(cu2)
This defines that user u1 (of group g1 but that is implicit) has access to P1 
as cu1 and P2 as cu2.  user u2 only has access to P2 as cu2.

If u1 adds a file, the file would be created as cu2 just like if it was 
created by u2.  This way everything works perfectly

How does this impacts the code.  Relatively easy ... i think.

Now, once the login/passwd is sent, the system checks the password and returns 
a host_user which is either the cvs_user or the alternative user (in the new 
case the full thrid part.

Then the code performs a 'switch_to_user'.  This is done in each 
authentication but could be filtered out.

Basicall this switch needs to be deferred until the module is known to which 
the files will be committed. 

As a consequence the switch_to_user call needs to be performed just AFTER the 
repository is known (i.e the content of the CVS/Repository file or similar) 
and just BEFORE the command requested is to be performed.  I.e the 
switch_to_user should be p