[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
need/want per module users ... need hints about developing
From: |
wim delvaux |
Subject: |
need/want per module users ... need hints about developing |
Date: |
Sat, 2 Aug 2003 02:38:52 +0200 |
User-agent: |
KMail/1.5.2 |
HI all,
I have the following problem.
a group (g1) of users (e.g u1) needing access to projects of classes P1 and
P2
a group (g2) of users (e.g u2) needing access only to projects of class P2.
Solution : create a P1 user (cu1) and a P2 users (cu2) and chown -R all the
files in the P1 project to cu1 and P2 to cu2.
add entries for u1 and u2 and translate to cu1 and cu2 respectively. give the
group of cu1 also access to files of group cu2.
This way cu2 only has access to P2 projects and cu1 has access to both.
However, when a cu1 user adds a file to a P2 project, the file is owned by cu1
to which cu2 DOES NOT HAVE ACCESS TO.
What is the solution ? Easy : an extension of the CVSROOT/passwd format
Now you can write :
u1:..:cu1
However you will be able to write
u1:...:module1(cu1_module1),module_2(cu1_module2), ....
Meaning that alternate users are assigned per module and per user.
In our example, we would have
u1:...:P1(cu1),P2(cu2)
u2:...:P2(cu2)
This defines that user u1 (of group g1 but that is implicit) has access to P1
as cu1 and P2 as cu2. user u2 only has access to P2 as cu2.
If u1 adds a file, the file would be created as cu2 just like if it was
created by u2. This way everything works perfectly
How does this impacts the code. Relatively easy ... i think.
Now, once the login/passwd is sent, the system checks the password and returns
a host_user which is either the cvs_user or the alternative user (in the new
case the full thrid part.
Then the code performs a 'switch_to_user'. This is done in each
authentication but could be filtered out.
Basicall this switch needs to be deferred until the module is known to which
the files will be committed.
As a consequence the switch_to_user call needs to be performed just AFTER the
repository is known (i.e the content of the CVS/Repository file or similar)
and just BEFORE the command requested is to be performed. I.e the
switch_to_user should be p
- need/want per module users ... need hints about developing,
wim delvaux <=