authzpolicy FineGrainedPermissions: configuration file order matters, but more/less specific patterns don't
|Reported by:||Owned by:|
|Severity:||normal||Keywords:||permissions authzpolicy authz configuration|
|Cc:||Ryan J Ollos||Branch:|
When using FineGrainedPermissions and authzpolicy, we had the following configuration:
@group = user [wiki:Page*] # the page and all subpages @group = WIKI_VIEW [wiki:Page/SpecificSubpage] # a specific subpage @group = WIKI_VIEW, WIKI_MODIFY
The intention was that the given user group should be allowed to edit the specific subpage, but only view the
Page and its other subpages.
However, the user was not able to edit
Reversing the order of both entries helps.
Although the Subversion authz documentation says that "the most specific path always matches first", Trac's implementation of authz apparently takes the first pattern that matches.