'ci' permission does not seem to affect merging

[lukeb]

Hi,

 

We've just started using Plastic [5.4.16.651] and I'm trying to set up security.  

 

My plan is to create a 'main' branch, which other developers can create sub-branches from but only I can check changes into.  I've seen this model mentioned in various places and I thought it would simply be a case of removing the 'ci' permission from the main branch for everyone other than me.

 

However, it seems whilst the removing the 'ci' permission prevents users checking changes directly into the branch, it does not prevent changes being checked in as a result of merging from a child branch.

 

Is there some other permission that must be used to prevent changes being checked in as a result of merge in a child branch?

 

Luke

[manu]

Hi Luke,

 

can you tell me more about the main branch ACL? Maybe an screenshot or the user permissions might help.

 

Also, how are you performing the merge operation? Is it a regular merge operation or a "merge-to" operation?

 

Thanks.

[lukeb]

• I've created a group called 'developers' containing a user called 'testuser': 
• The main branch is called 'trunk', owned by an 'admin' user and I've denied the 'ci' permission from the 'developers' group
• The ACL for 'trunk' is below:

cm sa --extended br:/trunk

ACL: 1

Creator br:/trunk@rep:profile7@repserver:PLASTIC:8087

Entries

developers:

Denied:

ci

Inherited

ACL: 0

Creator rep:profile7@repserver:PLASTIC:8087

Inherited

ACL: 0

Creator repserver:PLASTIC:8087

Entries

administrators:

Allowed:

all

OWNER:

Allowed:

chgperm chgowner view read rename changecomment mkrepository rmr

epository rmchangeset rmlabel rmtrigger rmattr mkchildbranch mktop-levelbranch m

klabel mkattr mktrigger mergefrom applylabel applyattr replicateread replicatewr

ite add change move rm ci advancedquery all

developers:

Allowed:

all 

 

• I've configured the plastic client to use the 'testuser' user (and confirmed with cm whoami)
• I then try the following 2 scenarios

Scenario 1 : direct check out

• checked a file directly from the 'trunk' branch
• at this point the branch explorer looks like this:
• when I try and check in I get an error "You don't have permission on ...' as expected

Scenario 2 : child branch merge

• created a child branch called 'test' from 'trunk'
• switched workspace to 'trunk/test'
• checked out a file, made changes, checked back in
• switched workspace to 'trunk'
• right clicked on 'trunk/test' and chose 'Merge from this branch...' then 'process all merges'
• at this point branch explorer looks like this: 
• I then attempted to check in the pending changes expecting to be prevented by lack of permission, but in fact it worked

 

I've tried various changes with Scenario 2 (defining permissions at user rather than group level, attempting the merge in a different way) but the effect is always the same - the checkin following the merge is always allowed.

[manu]

Thank you for the info.

 

Now I can reproduce the issue. Let me share it with the team.

[lukeb]

Do you have any update on this?

 

Thanks.

[manu]

Yes, we are going to fix it asap.

[manu]

Done! You will find it solved at the 5.4.16.664 release.

[Misieq]

Hi

 

Is it included in this version? Release notes do not mention it.

 

One additional question - it requires updating on both side server and client or it is enough to have client updated?

[calbzam]

Yes, not sure why it was not included. But the task was integrated into 5.4.16.664

 

Regarding the upgrade, you just need to upgrade the server. (assuming your clients are 5.4.16.x)

 

Regards,

Carlos.

[manu]

Is it working as expected now?

 

BR

[lukeb]

Sorry for the late reply - we've only just upgrade Plastic to a version that includes the fix.  I can confirm that it's now working correctly.

[calbzam]

Great!