Re: [PATCH] wildcard authz prototype

From: Daniel Rall <dlr_at_collab.net>
Date: 2006-05-02 01:39:00 CEST

On Mon, 01 May 2006, Greg Hudson wrote:

> On Mon, 2006-05-01 at 16:06 -0700, Garrett Rooney wrote:
> > Seriously, it iterates over all the wildcards applying them, to see if
> > any of them matter. See the modifications to authz_get_tree_access
> > and authz_parse_section for details.
>
> I'm confused as to how this can be correct.
>
> If I have a rule denying read access to */tags, and a caller wants to
> know if the user has recursive read access to /project/foo, doesn't the
> answer depend on whether /project/foo contains a "tags" somewhere? How
> can you know if the */tags wildcard entry is relevant without knowing
> what paths exist inside the tree?

It's certainly not optimal, but you could crawl the entire
/project/foo sub-tree looking for a match.

Alternately, you could accept only trailing wildcards in the
configuration.

-- 
Daniel Rall

application/pgp-signature attachment: stored

Received on Tue May 2 01:39:25 2006

This message: [ Message body ]
Next message: Warren Konkel: "memory leaks in ruby bindings"
Previous message: Garrett Rooney: "Re: [PATCH] wildcard authz prototype"
In reply to: Greg Hudson: "Re: [PATCH] wildcard authz prototype"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]