Using cvs_acls to restrict commits

[jpmigue]

Hi

I want to be able to restrict commits in a certain repository/stream and cvs_acls looks just the trick:

http://www.opensource.apple.com/source/cvs/cvs-33.0.1/cvs/contrib/cvs_acls.html?f=text

However, I have a large repository (approx. 5GB) and so was interested in the following excerpt:

2. Put two lines, as the *only* non-comment lines, in your commitinfo file:

ALL $CVSROOT/CVSROOT/commit_prep
ALL $CVSROOT/CVSROOT/cvs_acls [-d][-u $USER ][-f <logfilename>]

where "-d" turns on debug trace
"-u $USER" passes the client-side userId to cvs_acls
"-f <logfilename"> overrides the default filename used to log
restricted commit attempts.

(These are handled in the processArgs() subroutine.)

If you are using client-side userIds to restrict access to your repository, make sure that they are in this order since the commit_prep script is required in order to pass the $USER parameter.

A final note about the repository matching pattern. The example above uses ``ALL'' but note that this means that the cvs_acls script will run for each and every commit in your repository. Obviously, in a large repository this adds up to a lot of overhead that may not be necesary. A better strategy is to use a repository pattern that is more specific to the areas that you wish to secure.

Which indicates that I can restrict the precommit check to a repository pattern.

This does not work though and from my understanding unless ALL is specified, only the first line to match has its script executed hence cvs_acls never is.

Does anybody have any experience using cvs_acls in this way?

Cheers

James