From cf1c73b4f94fc8a4529d5e0c3f00ea167861fd51 Mon Sep 17 00:00:00 2001
From: Simon Heath <icefoxen@gmail.com>
Date: Sun, 2 Oct 2016 17:14:34 -0400
Subject: [PATCH 1/2] Added docs explaining multiple --restrict-to-path flags,
 with example (take 2)

---
 borg/archiver.py    | 3 ++-
 docs/deployment.rst | 5 +++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/borg/archiver.py b/borg/archiver.py
index ce7655fc5..785a98a6d 100644
--- a/borg/archiver.py
+++ b/borg/archiver.py
@@ -1011,7 +1011,8 @@ class Archiver:
                                           help='start repository server process')
         subparser.set_defaults(func=self.do_serve)
         subparser.add_argument('--restrict-to-path', dest='restrict_to_paths', action='append',
-                               metavar='PATH', help='restrict repository access to PATH')
+                               metavar='PATH', help='restrict repository access to PATH. '
+                                                    'Can be specified multiple times to allow the client access to several directories.')
         subparser.add_argument('--append-only', dest='append_only', action='store_true',
                                help='only allow appending to repository segment files')
         init_epilog = textwrap.dedent("""
diff --git a/docs/deployment.rst b/docs/deployment.rst
index 3c76500fe..b4794300a 100644
--- a/docs/deployment.rst
+++ b/docs/deployment.rst
@@ -54,6 +54,11 @@ Restrictions
 Borg is instructed to restrict clients into their own paths:
 ``borg serve --restrict-to-path /home/backup/repos/<client fqdn>``
 
+The client will be able to access any file or subdirectory inside of ``/home/backup/repos/<client fqdn>``
+but no other directories.  You can allow a client to access several directories by passing multiple
+`--restrict-to-path` flags, for instance: ``borg serve --restrict-to-path /home/backup/repos/<client fqdn>/root --restrict-to-path /home/backup/repos/<client fqdn>/home``,
+or instead simply use `--restrict-to-path` once to restrict the client to ``/home/backup/repos/<client fqdn>/*``.
+
 There is only one ssh key per client allowed. Keys are added for ``johndoe.clnt.local``, ``web01.srv.local`` and
 ``app01.srv.local``. But they will access the backup under only one UNIX user account as:
 ``backup@backup01.srv.local``. Every key in ``$HOME/.ssh/authorized_keys`` has a

From 573cb616d3979d2deae249565afddeb56457029c Mon Sep 17 00:00:00 2001
From: Marian Beermann <public@enkore.de>
Date: Thu, 6 Oct 2016 01:00:07 +0200
Subject: [PATCH 2/2] deployment: synthesize alternative --restrict-to-path
 example

---
 borg/archiver.py    | 3 ++-
 docs/deployment.rst | 7 ++++---
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/borg/archiver.py b/borg/archiver.py
index 785a98a6d..ab465e4f6 100644
--- a/borg/archiver.py
+++ b/borg/archiver.py
@@ -1012,7 +1012,8 @@ class Archiver:
         subparser.set_defaults(func=self.do_serve)
         subparser.add_argument('--restrict-to-path', dest='restrict_to_paths', action='append',
                                metavar='PATH', help='restrict repository access to PATH. '
-                                                    'Can be specified multiple times to allow the client access to several directories.')
+                                                    'Can be specified multiple times to allow the client access to several directories. '
+                                                    'Access to all sub-directories is granted implicitly; PATH doesn\'t need to directly point to a repository.')
         subparser.add_argument('--append-only', dest='append_only', action='store_true',
                                help='only allow appending to repository segment files')
         init_epilog = textwrap.dedent("""
diff --git a/docs/deployment.rst b/docs/deployment.rst
index b4794300a..c73c6ddb2 100644
--- a/docs/deployment.rst
+++ b/docs/deployment.rst
@@ -55,9 +55,10 @@ Borg is instructed to restrict clients into their own paths:
 ``borg serve --restrict-to-path /home/backup/repos/<client fqdn>``
 
 The client will be able to access any file or subdirectory inside of ``/home/backup/repos/<client fqdn>``
-but no other directories.  You can allow a client to access several directories by passing multiple
-`--restrict-to-path` flags, for instance: ``borg serve --restrict-to-path /home/backup/repos/<client fqdn>/root --restrict-to-path /home/backup/repos/<client fqdn>/home``,
-or instead simply use `--restrict-to-path` once to restrict the client to ``/home/backup/repos/<client fqdn>/*``.
+but no other directories. You can allow a client to access several separate directories by passing multiple
+`--restrict-to-path` flags, for instance: ``borg serve --restrict-to-path /home/backup/repos/<client fqdn> --restrict-to-path /home/backup/repos/<other client fqdn>``,
+which could make sense if multiple machines belong to one person which should then have access to all the
+backups of their machines.
 
 There is only one ssh key per client allowed. Keys are added for ``johndoe.clnt.local``, ``web01.srv.local`` and
 ``app01.srv.local``. But they will access the backup under only one UNIX user account as: