Am Dienstag, 22. Februar 2011, 09:55:51 schrieb Neil McGovern:
I'm having a little bit of trouble implementing ACLs in a 2.1. When
trying to insert (into the project config):
<group groupid="Amino" role="maintainer"/>
You are aware that binarydownload is not protecting binaries security
wise ? People still can get it via builds for example.
osc complains that:
Sending meta data...
BuildService API error: change_project_protection_level (403)
admin rights are required to raise the source protection level of a
Try again? ([y/N]):
This also seems to occur with the webui.
Interestingly, api/app/controllers/source_controller.rb contains the
p = Project.new(request_data, :name => project_name)
if @project and not @project.disabled_for?('sourceaccess', nil, nil)
if p.disabled_for? :sourceaccess
render_error :status => 403, :errorcode =>
:message => "admin rights are required to raise the source
protection level of a project"
This doesn't seem to check for if a user is an admin or not, but (if I'm
reading the code right) simply checks to see if the sourceaccess flag is
being added at all.
right. I fixed that the other day, it will be part of 2.1.6 release.
So... commenting out section allows me to add the
flag, but then more
interesting problems occur. It doesn't seem to matter what 'group'
you're actually in, you can view the spec file via the webui, the
download links (for the source) fail with access denied errors, but the
source can be downloaded via osc!
The webui in 2.1 does a global caching. One of the reasons why only new created
projects/packages can have sourceaccess disabled by default.
I'm hoping some basic understanding is missing
here, and I'm not going
completely insane. Does anyone have any thoughts about what could be
The read access part of the ACLs is not very mature in 2.1. You may want to
try the 2.3 candidate packages from openSUSE:Tools:Unstable which are more
complete (but still also not yet 100% ready).
SUSE Linux Products GmbH
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-buildservice+help(a)opensuse.org