Menu

#179 BUG: path-based authz rule matching description is incorrect

en-1.6
Fixed
nobody
None
Medium
Defect
2012-12-19
2012-12-18
Anonymous
No

Originally created by: cmpilato
Originally owned by: cmpilato

Reported by Mark Cammidge <mark@peralex.com>:

{{{
In the section on path-base authz rules:

http://svnbook.red-bean.com/nightly/en/svn.serverconfig.pathbasedauthz.html

it is written that:

"Another important fact is that the first matching rule is the one which
gets applied to a user. In the prior example, even though Jane is a
member of the paint-developers group (which has read/write access), the
jane = r rule will be discovered and matched before the group rule, thus
denying Jane write access."

This doesn't appear to be correct, on svnserve at least.  I've tried the
given example, and the order appears to have no effect on the rule that
gets applied.

It appears that the least restrictive rule in a section is applied.  So
in the given
example:

[groups]
calc-developers = harry, sally, joe
paint-developers = frank, sally, jane
everyone = harry, sally, joe, frank, sally, jane

[paint:/projects/paint]
jane = r
@paint-developers = rw

User jane gets read and write access, irrespective of the order.  This
was reported in trac bug #108, but the quoted section above that was
introduced as a result does not appear to be correct (for svnserve at
least).

Various other people have been experienced the same thing:

[1]
http://osdir.com/ml/version-control.subversion.book/2008-06/msg00101.html

[2]
http://svn.haxx.se/dev/archive-2009-01/0606.shtml

A reply to [2] above suggests that the order of evaluation of the rules
is random.  That may be, but it looks like the rules are all evaluated
for the particular user, and the most permissive combination for a
particular section is used.

The source code seems to back this up, as it appears to me (and I'm no
expert on the code), that all the allows and denys for a particular user
and in a particular section are ORed together before being used.

Mark
}}}

Related

Tickets: #108

Discussion

  • Comment has been marked as spam. 
    Undo

    View and moderate all "tickets Discussion" comments posted by this user

    Mark all as spam, and block user from posting to "Tickets"

    Anonymous

    Anonymous - 2012-12-18

    Originally posted by: cmpilato

    Doh!  Apparently Stefan Sperling fixed this already (in [r3728]).

    Status: Fixed

     

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.