[p4] spec depot

Weintraub, David david.weintraub at bofasecurities.com
Wed Jul 19 06:00:10 PDT 2006

 What an intriguing experiment!

I fired up my backup server, and did a few tests.

My protection table has in it as the first line "read group dev *
//depot/..." which means I am only giving users access to the
//depot/... table. Group "dev" is the group that includes all users.
Remember that if you don't mention something explicitly in your
protection table, you have no access to it at all.

And sure enough, normal users had no access to my spec depot. They
weren't allowed to put it in their client specs. They were not allowed
to see it via a "p4 files //..." command, and even if they did a "p4
depots", they didn't see it. So, if you do what I did, and put read only
permission on the depots that you want users to access (and most sites
only have a single depot anyway) users have no access to the spec depot,
and wouldn't even know it is there. However, changes to their clients
and users are still stored there.

By the way, the same thing applied to other depots. I created a "foo"
depot, and normal users didn't have any access to that either. They
couldn't even see it when they did a "p4 depots".

So, if you did what I did and put a restrictive permission in the first
line of your protection table that only mentions the depots you actually
want users to access, the user won't even know that the //spec depot
actually exists. For example, if you only have a //depot and a //spec
depots, giving users read only permission on "//depot/..." will hide the
//spec depot from the normal users.


Now, the grand experiment part: I changed the first line of my
protection table from "read group dev * //depot/..." to "write group dev
* //...". This not only gave users access to the //depot, //foo, and
//spec depots, but also gave them universal write access.

As a normal user, I created a client with access to the spec depot,
sync'd it, and then did a "p4 edit protect.p4s". I got the message
"//spec/protect.p4s - can only edit file in a local depot". I create a
file called "foo" and tried to add it to the spec table. I got the
message "//spec/foo - can only add file in a local depot". I tried the
same thing as a super user and got the same messages.

So, even if you explicitly give users full and complete access to the
spec depot, and give users super user permission, they still cannot add,
delete, or edit files in the //spec depot.

More information about the perforce-user mailing list