On Mon, 01 May 2006, Greg Hudson wrote:
> On Mon, 2006-05-01 at 16:06 -0700, Garrett Rooney wrote:
> > Seriously, it iterates over all the wildcards applying them, to see if
> > any of them matter. See the modifications to authz_get_tree_access
> > and authz_parse_section for details.
>
> I'm confused as to how this can be correct.
>
> If I have a rule denying read access to */tags, and a caller wants to
> know if the user has recursive read access to /project/foo, doesn't the
> answer depend on whether /project/foo contains a "tags" somewhere? How
> can you know if the */tags wildcard entry is relevant without knowing
> what paths exist inside the tree?
It's certainly not optimal, but you could crawl the entire
/project/foo sub-tree looking for a match.
Alternately, you could accept only trailing wildcards in the
configuration.
--
Daniel Rall
- application/pgp-signature attachment: stored
Received on Tue May 2 01:39:25 2006