subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Shahaf <...@daniel.shahaf.name>
Subject Re: svn authz error: Access denied issue when running svn rm resource where the user should be able to have full access
Date Sat, 31 Jul 2021 01:17:36 GMT
Daniel Shahaf wrote on Sat, Jul 31, 2021 at 00:41:48 +0000:
> Now, the delete logic should request a *non* recursive access check if
> the thing to be deleted is a plain file in HEAD.  subversion/libsvn_repos/commit.c:delete_entry()
> does behave this way — when the .uasset path identifies a non-directory
> in HEAD, which is why I asked about that above — but if I'm reading
> mod_authz_svn's code correctly, it requires svn_authz_recursive access
> on all DELETE calls, regardless of whether a file or a directory is
> being requested to be deleted.
> 
> Which is to say, this would seem to be a bug in mod_authz_svn.

The following test results in SKIP/PASS/XFAIL on ra_local/ra_svn/ra_serf,
respectively.  It's a bit rough — no comments and line length style
violation — but putting it here for anyone who may want to take this
further.

When testing this I commented out the AuthzSVNReposRelativeAccessFile
line in davautocheck.sh for reasons discussed in the "1.14.x test
failure under USE_HTTPV1=1: ra-test 13 commit_empty_last_change" thread
(the secondary problem in that thread, not the one the subject line is
about).

Cheers,

Daniel


[[[
Index: subversion/tests/cmdline/authz_tests.py
===================================================================
--- subversion/tests/cmdline/authz_tests.py	(revision 1891909)
+++ subversion/tests/cmdline/authz_tests.py	(working copy)
@@ -1732,6 +1732,25 @@ def empty_group(sbox):
                                      sbox.repo_url)
 
 
+@XFail(svntest.main.is_ra_type_dav)
+@Skip(svntest.main.is_ra_type_file)
+def delete_file_with_starstar_rules(sbox):
+  "delete file with ** rules"
+
+  sbox.build(create_wc = False)
+
+  write_restrictive_svnserve_conf(sbox.repo_dir)
+
+  prefixed_rules = dict()
+  prefixed_rules[':glob:/**/lorem'] = '* = \n'
+  prefixed_rules['/'] = '%s = rw\n' % (svntest.main.wc_author,)
+  prefixed_rules['/A'] = '%s = \n' % (svntest.main.wc_author,)
+  prefixed_rules['/iota'] = '%s = rw\n' % (svntest.main.wc_author,)
+  write_authz_file(sbox, None, prefixed_rules = prefixed_rules)
+
+  svntest.main.run_svn(None, 'rm', sbox.repo_url + '/iota', '-m', 'Delete by URL')
+
+
 ########################################################################
 # Run the tests
 
@@ -1771,6 +1790,7 @@ test_list = [ None,
               inverted_group_membership,
               group_member_empty_string,
               empty_group,
+              delete_file_with_starstar_rules,
              ]
 serial_only = True
 
]]]

Mime
View raw message