ACLTransport and Other ACL Thoughts
Jeff Abbott
fdiv_bug at sniping.org
Thu Feb 28 04:39:45 GMT 2008
Folks,
In doing more thinking about ACLs in Bazaar, I was looking over the
ACLTransport spec (http://bazaar-vcs.org/Specs/ACLTransport) and digging
through source seeing what I could learn, and a thought occurred to me:
Could this be done with a TransportDecorator?
My inspiration came largely from ReadonlyTransportDecorator, except
instead of universally saying "no" to some operations it would check a
config file before doing so. I was figuring that
.bzr/branch/branch.conf could be used for this purpose with sections like:
[read]
** = *
[write]
** = alice
docs/* = bob, charlie
src/** = david
[deny]
** = edward
In that example, everyone except edward would have "pull" and "branch"
access, and the other people listed in the [write] section would have
"push" access to the respective portions of the branch (i.e. alice can
push to anywhere, bob and charlie can only push to the docs directory
but none of its subdirectories, and david can push to src and anywhere
below).
I'm not sure if we'd need, or even want, that level of granularity, but
it seems like it'd be better to implement that now rather than do it
more coarsely and have to re-think things again in the future when
someone finds a good case for it being more precise. I'm also not
convinced that .bzr/branch/branch.conf is the right place for this
information; perhaps .bzr/branch/access.conf would work better?
I've started fiddling with some code but I was wondering what other
people thought of the idea of, say, ACLTransportDecorator, before I go
too far along. If it turns out that doing it as a full-fledged
ACLTransport would be the better choice then, John, if you're around,
I'd be keen on working on that with you. Otherwise... where do we go
from here?
Thanks,
Jeff
More information about the bazaar
mailing list