lukeb Posted April 17, 2015 Report Share Posted April 17, 2015 Hi, We've just started using Plastic [5.4.16.651] and I'm trying to set up security. My plan is to create a 'main' branch, which other developers can create sub-branches from but only I can check changes into. I've seen this model mentioned in various places and I thought it would simply be a case of removing the 'ci' permission from the main branch for everyone other than me. However, it seems whilst the removing the 'ci' permission prevents users checking changes directly into the branch, it does not prevent changes being checked in as a result of merging from a child branch. Is there some other permission that must be used to prevent changes being checked in as a result of merge in a child branch? Luke Link to comment Share on other sites More sharing options...
manu Posted April 20, 2015 Report Share Posted April 20, 2015 Hi Luke, can you tell me more about the main branch ACL? Maybe an screenshot or the user permissions might help. Also, how are you performing the merge operation? Is it a regular merge operation or a "merge-to" operation? Thanks. Link to comment Share on other sites More sharing options...
lukeb Posted April 20, 2015 Author Report Share Posted April 20, 2015 I've created a group called 'developers' containing a user called 'testuser': The main branch is called 'trunk', owned by an 'admin' user and I've denied the 'ci' permission from the 'developers' group The ACL for 'trunk' is below: cm sa --extended br:/trunkACL: 1 Creator br:/trunk@rep:profile7@repserver:PLASTIC:8087 Entries developers: Denied: ci Inherited ACL: 0 Creator rep:profile7@repserver:PLASTIC:8087 Inherited ACL: 0 Creator repserver:PLASTIC:8087 Entries administrators: Allowed: all OWNER: Allowed: chgperm chgowner view read rename changecomment mkrepository rmr epository rmchangeset rmlabel rmtrigger rmattr mkchildbranch mktop-levelbranch m klabel mkattr mktrigger mergefrom applylabel applyattr replicateread replicatewr ite add change move rm ci advancedquery all developers: Allowed: all I've configured the plastic client to use the 'testuser' user (and confirmed with cm whoami) I then try the following 2 scenarios Scenario 1 : direct check out checked a file directly from the 'trunk' branch at this point the branch explorer looks like this: when I try and check in I get an error "You don't have permission on ...' as expected Scenario 2 : child branch merge created a child branch called 'test' from 'trunk' switched workspace to 'trunk/test' checked out a file, made changes, checked back in switched workspace to 'trunk' right clicked on 'trunk/test' and chose 'Merge from this branch...' then 'process all merges' at this point branch explorer looks like this: I then attempted to check in the pending changes expecting to be prevented by lack of permission, but in fact it worked I've tried various changes with Scenario 2 (defining permissions at user rather than group level, attempting the merge in a different way) but the effect is always the same - the checkin following the merge is always allowed. Link to comment Share on other sites More sharing options...
manu Posted April 20, 2015 Report Share Posted April 20, 2015 Thank you for the info. Now I can reproduce the issue. Let me share it with the team. Link to comment Share on other sites More sharing options...
lukeb Posted April 22, 2015 Author Report Share Posted April 22, 2015 Do you have any update on this? Thanks. Link to comment Share on other sites More sharing options...
manu Posted April 22, 2015 Report Share Posted April 22, 2015 Yes, we are going to fix it asap. Link to comment Share on other sites More sharing options...
manu Posted May 18, 2015 Report Share Posted May 18, 2015 Done! You will find it solved at the 5.4.16.664 release. Link to comment Share on other sites More sharing options...
Misieq Posted May 19, 2015 Report Share Posted May 19, 2015 Hi Is it included in this version? Release notes do not mention it. One additional question - it requires updating on both side server and client or it is enough to have client updated? Link to comment Share on other sites More sharing options...
calbzam Posted May 19, 2015 Report Share Posted May 19, 2015 Yes, not sure why it was not included. But the task was integrated into 5.4.16.664 Regarding the upgrade, you just need to upgrade the server. (assuming your clients are 5.4.16.x) Regards, Carlos. Link to comment Share on other sites More sharing options...
manu Posted May 27, 2015 Report Share Posted May 27, 2015 Is it working as expected now? BR Link to comment Share on other sites More sharing options...
lukeb Posted December 9, 2015 Author Report Share Posted December 9, 2015 Sorry for the late reply - we've only just upgrade Plastic to a version that includes the fix. I can confirm that it's now working correctly. Link to comment Share on other sites More sharing options...
calbzam Posted December 18, 2015 Report Share Posted December 18, 2015 Great! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.