subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bert Huijben" <b...@qqmail.nl>
Subject RE: Path-based authorization ignores most specific path
Date Mon, 13 Apr 2015 07:50:06 GMT


> -----Original Message-----
> From: all-lists@stefan-klinger.de [mailto:all-lists@stefan-klinger.de]
> Sent: zondag 12 april 2015 12:47
> To: users@subversion.apache.org
> Subject: Path-based authorization ignores most specific path
> 
> Hello!
> 
> --Summary--
> 
> Path-based authorization seems to not work as documented
> currently:  The most specific path is *not* used.
> 
> Version: server=1.6.17, client=1.8.8 or 1.8.13
> 
> Might be a reincarnation of (closed?) Issue 3242:
> 
>     http://svn.haxx.se/users/archive-2010-01/0124.shtml
>     http://subversion.tigris.org/issues/show_bug.cgi?id=3242
> 
> 
> --Description--
> 
> The documentation says (for all versions since 1.5):
> 
>     The thing to remember is that the most specific path always
>     matches first.
> 
>
http://svnbook.red-bean.com/en/1.5/svn.serverconfig.pathbasedauthz.html
> 
> I'm having the following lines concerning repository `proj` in my
> `access` file.  As you can see, `/pub` should be publicly readable,
> but nothing else:
> 
> Current access file contains:
> 
>     [groups]
>     proj_staff = [...]
>     proj_other = [...]
> 
>     [proj:/]
>     @proj_staff = rw
>     @proj_other = r
> 
>     [proj:/pub]
>     * = r
>     @proj_staff = rw
> 
>     [proj:/eval]
>     @proj_other =
> 
>     [proj:/group]
>     @proj_other = rw
> 
>     [proj:/group/foo]
>     foo = rw
> 
> The problem is:
> 
>   * I can *NOT* `svn co https://...proj/pub` without authentification.

For the record: I don't see anything in your config that you setup anonymous
authentication. Even with a * = r line some operations might still need to
know who you are, even though everybody has access to read.


For 1.8.x a checkout will retrieve inherited properties from all ancestor
directories of where you checked out (see release notes for the new features
that provides), so I'm not surprised that the client asks for your
credentials if you only provide access to those other directories if a user
is authenticated. (Not being able to read the properties is not an issue...
But the client will try to read them, which will produce a prompt)

If there is something on the server side related to your issue everybody
will recommend you to upgrade to a supported Subversion release first. We
only actively support the last revision and the one before that with
bugfixes, so that would be Subversion 1.8.x and 1.7.x. (and soon just 1.9.x
and 1.8.x).

	Bert


Mime
View raw message