Hi,
I have not had an opportunity for a while to struggle with this issue,
but someone recently responded directly to me with a suggestion:
> Did anyone ever answer your question? I think you need to add
> an 'allow' line for the default list of users and the deny after
> that to disallow just the branch.
> If so, please do summarize to the list what solution you used.
So I took another crack at this issue. Currently my cvsacl file looks
like this:
allow|mhamilt||
deny|||test_tag_branch2
However, it still doesn't allow me to commit files to the head branch:
Debug turned on...
15577 $debug flag set on.
15577 $arg for processArgs loop is: -u.
15577 client-side $userId set to: mhamilt.
15577 $arg for processArgs loop is: mhamilt.
15577 $arg for processArgs loop is: /cvsroot/playground/playground.
15577 $arg for processArgs loop is: test.dat.
15577 processArgs returning $userId: mhamilt.
15577 @ARGV after processArgs is: /cvsroot/playground/playground test.dat.
15577 ========== Begin for "/cvsroot/playground/playground" repository.
==========
15577 @ARGV after shift processing
contains:/cvsroot/playground/playground, test.dat.
15577 $cvsroot is: /cvsroot/playground.
15577 Repos: playground
15577 ==== playground/test.dat
15577 File / Branch
15577 CVS Entry 1: test.dat/
15577 ==========
15577 Processing 'cvsacl' line: allow|mhamilt||.
15577 $user_name: mhamilt $user_match match flag is: 1.
15577 Adding all modules to %repository_matches; null $cvsacl_modules
and $cvsacl_branches.
15577 $repository_matches{playground/test.dat} = [HEAD, ].
15577 Matches for: %repository_matches: playground/test.dat.
15577 An "allow" match on User(s): mhamilt; Module(s): ; Branch(es): .
15577 Removing %repository_matches entry: playground/test.dat.
15577 ==== End of processing for 'cvsacl' line: allow|mhamilt||.
15577 ==========
15577 Processing 'cvsacl' line: deny|||test_tag_branch2.
15577 $user_name: mhamilt $user_match match flag is: 1.
15577 Branches from 'cvsacl' record: test_tag_branch2.
15577 $repository_matches{playground/test.dat} = [HEAD, ].
15577 Matches for: %repository_matches: playground/test.dat.
15577 An "deny" match on User(s): ; Module(s): ; Branch(es):
test_tag_branch2.
15577 Adding %repository_matches entry: playground/test.dat.
15577 ==== End of processing for 'cvsacl' line: deny|||test_tag_branch2.
**** Access denied: Insufficient authority for user: 'mhamilt' to commit
to 'playground'.
**** Contact CVS Administrators if you require update access to these
directories or files.
**** file(s)/dir(s) restricted were:
playground/test.dat
15577 restrict_log record being written: 2007/05/29 14:21:53 Commit
attempt by: mhamilt for: playground/test.dat on branch: HEAD.
to /cvsroot/playground/CVSROOT/restrict_log.
15577 ==== $exit_val = 1
cvs commit: Pre-commit check failed
cvs
I also tried
allow|*||
deny|||test_tag_branch2
which didn't work either. If I switch the order of these two lines it
allows me to commit to both HEAD and test_tag_branch2, which isn't what
I wanted. I want to prevent everyone (including me) from committing to
the test_tag_branch2 branch.
As a side note, at one point I changed the cvsacl file to look like this
deny||*|test_tag_branch2
When I tried my commit it reported the error shown below, but then went
ahead and committed the file.
***** Item to commit was neither a regular file nor a directory.
***** Current 'cvsacl' line ignored.
***** Possible problem with 'cvsacl' admin file. Please contact a CVS
administrator.
Checking in test.dat;
/cvsroot/playground/playground/test.dat,v <-- test.dat
new revision: 1.59; previous revision: 1.58
done
Wouldn't it be more reasonable (and secure) to disallow all commits if
there's an error in the cvsacl file? My assumption is that anyone
fiddling with this would probably have access to the repository anyway,
and so could directly edit the file in order to allow a commit that
would correct any errors.
Mark E. Hamilton wrote:
> Hi,
>
> I'm trying to use cvs_acls (from the 1.11.21 distribution) to prevent
> checkins to specific branches. My commitinfo file looks like this:
>
> ALL $CVSROOT/CVSROOT/commit_prep
> ALL $CVSROOT/CVSROOT/cvs_acls -d -u $USER
>
> and the cvsacl file looks like this:
>
> deny|||test_tag_branch2
>
> What I hoped this would do is to prevent anyone from checking anything
> in to the test_tag_branch2 branch, but allow other changes to the
> repository.
>
> When I checked out a file from the branch, changed it, and tried to
> commit it it failed. All good so far. Then I updated the file to the
> HEAD revision, changed it, and tried to commit it. It still failed. I
> tried a few other files with the same results.
>
> The debug output looks like this. Am I misunderstanding how the
> deny/allow patterns are supposed to work, or is there something else wrong?
>
>
> sahp7635% cvs commit -m 'test'
> cvs commit: Examining .
> cvs commit: Examining subdir
> cvs commit: Examining subdir/deepdir
> cvs commit: Examining test_dir
> ? test.dat.bck
> Debug turned on...
> 5995 $debug flag set on.
> 5995 $arg for processArgs loop is: -u.
> 5995 client-side $userId set to: mhamilt.
> 5995 $arg for processArgs loop is: mhamilt.
> 5995 $arg for processArgs loop is: /cvsroot/playground/playground.
> 5995 $arg for processArgs loop is: test.dat.
> 5995 processArgs returning $userId: mhamilt.
> 5995 @ARGV after processArgs is: /cvsroot/playground/playground test.dat.
> 5995 ========== Begin for "/cvsroot/playground/playground" repository.
> ==========
> 5995 @ARGV after shift processing
> contains:/cvsroot/playground/playground, test.dat.
> 5995 $cvsroot is: /cvsroot/playground.
> 5995 Repos: playground
> 5995 ==== playground/test.dat
> 5995 File / Branch
> 5995 CVS Entry 1: test.dat/
> 5995 ==========
> 5995 Processing 'cvsacl' line: deny|||test_tag_branch2.
> 5995 $user_name: mhamilt $user_match match flag is: 1.
> 5995 Branches from 'cvsacl' record: test_tag_branch2.
> 5995 $repository_matches{playground/test.dat} = [HEAD, ].
> 5995 Matches for: %repository_matches: playground/test.dat.
> 5995 An "deny" match on User(s): ; Module(s): ; Branch(es):
> test_tag_branch2.
> 5995 Adding %repository_matches entry: playground/test.dat.
> 5995 ==== End of processing for 'cvsacl' line: deny|||test_tag_branch2.
> **** Access denied: Insufficient authority for user: 'mhamilt' to commit
> to 'playground'.
> **** Contact CVS Administrators if you require update access to these
> directories or files.
> **** file(s)/dir(s) restricted were:
> playground/test.dat
> 5995 restrict_log record being written: 2007/04/23 17:25:39 Commit
> attempt by: mhamilt for: playground/test.dat on branch: HEAD.
> to /cvsroot/playground/CVSROOT/restrict_log.
> 5995 ==== $exit_val = 1
> cvs commit: Pre-commit check failed
> cvs [commit aborted]: correct above errors first!
>
>
> The restrict_log contains these messages (not realy surprising, I suppose.)
>
> 2007/04/23 14:41:54 Commit attempt by: mhamilt for: playground/test.dat
> on branch: test_tag_branch2.
> 2007/04/23 15:24:32 Commit attempt by: mhamilt for: playground/test.dat
> on branch: HEAD.
> 2007/04/23 17:10:59 Commit attempt by: mhamilt for: playground/test.dat
> on branch: HEAD.
> 2007/04/23 17:14:21 Commit attempt by: mhamilt for: playground/test.dat
> on branch: test_tag_branch2.
>
>
--
----------------
Mark E. Hamilton
Orion International Technologies, Inc.
Sandia National Laboratory, NM.
505-844-7666