On 4/4/06, Michael Brouwer <mb.7766@gmail.com> wrote:
> Not commenting on the specifics of your idea here per-se, but on a
> potential security issue regarding renames.
>
> If the ACLs on a repository disallows someone access to the move
> source of a file, what would the move source be in the editor call?
>
> More detailed example: Say a repository was split in a secret and a
> public part (using ACLs), and someone with access to both moves a file
> from the secret to the public part because that file was deemed to not
> be private anymore, can this be done without disclosing any
> information about the private sections of the repository (such as path
> names) to people without access to those private sections.
>
> It seems like the right thing to do here might be to show the file as
> having been added without history to users without access to the move
> source.
That's what we do for copies now, I imagine we'll do something similar
for renames.
> The opposite scenario is also possible I assume (someone moves a
> public file to the private section of the repository). After this to
> users without access to the private section the move should arguably
> show up as a delete to users without access to the move destination.
That's what I'd been thinking as well.
-garrett
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Apr 4 21:07:20 2006