My favorites | Sign in
Project Home Downloads Wiki Issues Source
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 511: Duplicated access controls result in no access for anybody
2 people starred this issue and may be notified of changes. Back to list
Status:  Started
Owner:  ----


Sign in to add a comment
 
Reported by rtylerc...@gmail.com, Mar 24, 2010
Per this discussion: http://groups.google.com/group/repo-
discuss/browse_thread/thread/5131f0a99a5acbd2

If a user [accidentally] adds two "Read Access" permissions, in my case for 
"Anonymous Users" all push access to the project breaks resulting in:

    % git push gerrit master 
        fatal: Upload denied for project 'news' 
        fatal: The remote end hung up unexpectedly 
    % 

Apr 10, 2010
#1 sop@google.com
Nico worked up this example of what's going on:

  Local:     READ +1 Anonymous users
  Inherited: READ +1 Anonymous users
  Inherited: READ +2 Registered users

Because everyone is a member of "Anonymous users" group
they match that local right of READ +1.  This shadows the
two inherited READ permissions.


The permission system isn't using the inherited permissions
here by design.  Its done this way so you can do:

  Local:     READ -1     Anonymous users
  Local:     READ +1..+2 Special People
  Inherited: READ +1     Anonymous users
  Inherited: READ +2     Registered users

This prevents anonymous users from seeing the project, but
allows "Special People" to see and upload to it.  It can be
useful to show most projects, but hide just a select handful.

Nico's patch in Iac783b8357932bba91a3b92db69e0bd9ef61fb24 is
going to break this behavior, which man cause surprises for
existing installations.


Right now, the behavior is "Working as Designed".  In my opinion
the bug here is that the design is hard to understand, and harder
still to diagnose when it doesn't work as expected.
Status: Started
Sign in to add a comment

Powered by Google Project Hosting