_ / / ____ ___ / /__ ____ ______________ __________ / __ `__ \/ //_/ / __ `/ ___/ ___/ _ \/ ___/ ___/ / / / / / / ,< / /_/ / /__/ /__/ __(__ |__ ) /_/ /_/ /_/_/|_| \__,_/\___/\___/\___/____/____/ https://svn.uni-konstanz.de/dbis/svntools/mkaccess/ Stefan Klinger . Database & Information Systems (DBIS) Group, Uni Konstanz. Published under the GNU Affero General Public License Automagic generation of the subversion access database ====================================================== When cleaning up the mess in the `access` file, I made a mistake: The new file referred to an undefined group. As a result, the `access` file was not parsed anymore *at all*, no repository was accessible. The messy structure of the `access` file partly originates from the distance of group definitions from access right definitions. Also, nobody feels responsible to clean up an unused repository. To this end, `access` is autogenerated from a bunch of independent files from now on. To add entries, proceed as follows: * create a new file below `access.d` with the same name as the repository for which you want to manage access rights. This file must belong to the same group as the `access.d` directory, and have mode at least (bitwise) 640. * In this new file, you may define groups under a `[groups]` header, just as you are used to do from the `access` file. It is strongly encouraged to prefix group names with the repos name, to avoid name clashes with future repositories! * Add access rights for individual paths, using the `[repos:/path]` notation as usual. * Then run `./mkaccess` to compile the `access` file. Consistency checks make the process fail if you refer to undefined groups, or do not provide sufficient permissions. The following consistency checks are provided: * `access.d` has mode 770 * Imported permissions are readable by everyone in the group, i.e., `access.d/` has mode 640 at least. Failure to comply skips the delinquent. * A repository exists with a naming mathing the one given in `access.d/`. Failure to comply skips the delinquent. May be overridden. * Suggest to make `repos//db/rep-cache.db` writable for the group. [This has been disabled: Not necessary any more.] * Some minor syntax checks. * Encourage to prefix the names of groups with the name of the repository, to avoid name clashes in the future. May be muted. * Forbid to redefine groups of users. Failure to comply stops compilation. It cannot be decided who defined his group first. * Warn if groups are referenced, but not defined in the *same* file. May be muted. Road to perdition. * Forbid cycles in group definitions. Failure to comply skips the delinquent. * Section headers always refer to the correct repository, i.e., one cannot define access rights for other repositories. Failure to comply skips the delinquent. * There are no references to undefined groups in the resulting `access` file. * Resulting `access` will have mode 660, and belong to the same group as `access.d`. `mkaccess` should try hard to keep going, even if someone else has put a cheesy config into `access.d` — but it will fail on conflicting group name definitons. Enjoy License ------- Copyright (C) 2013 Stefan Klinger This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details. You should have received a copy of the GNU Affero General Public License along with this program. If not, see . --- last change: $Date: 2013-01-16 23:58:36 +0100 (Wed, 16 Jan 2013) $