[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

svnserver authz rule precedence bug?

From: ycdtosa <ycdtosa_at_gmail.com>
Date: Wed, 21 Jan 2009 22:52:55 +0100

Hi. Im having a problem with svnserve and the authz file,
that seems to me like a *bug* on subversion (svnserve) or the
documentation (subversion book)

svnserver authz rule precedence not working as expected / documented

So, w/o further ado here i sthe simpler version i could figure out.

I wanted to allow read-only access to my repo to an authenticated user,
and read-write access to anyone else, so i got the following files:

* svnserve.conf: (disallow anonymous)

[general]
anon-access = none
auth-access = write
password-db = passwd
authz-db = authz
realm = My First Repository

* passwd: (a few users)

[users]
harry = harryssecret
sally = sallyssecret

* authz: (give harry read access, and rw to everybody else)

[/]
harry = r
$authenticated = rw

And that is it.

The problem is that with this configuration "harry" gets "rw" permisions,
even if to my understanding it shouldn't since on chp6 of the book it reads...

  "Another important fact is that the first matching rule is the one
   which gets applied to a user.
   In the prior example, even though Jane is a member of the
   paint-developers group (which has read/write access),
   the jane = r rule will be discovered and matched before the group
   rule, thus denying Jane write access."

where the "prior example" was this:

  [paint:/projects/paint]
  jane = r
  @paint-developers = rw

Also, googling for a solution i've found this post
   [http://blogs.open.collab.net/svn/2007/03/authz_and_anon_.html]

were C. Michael (Mike) Pilato wrote:
  "But what about your authenticated would-be writers? Ah, therein
lies the rub!
 *There are no authenticated users. * Since anonymous users can
checkout the tree,
  Apache never bothers to query you for authentication credentials.
  And you can't force Subversion to transmit authentication
credentials when Apache hasn't asked for them."

Which *is not the case* since anonymous access already disabled, thus
the svnserver ( not apache here, but i think that is unrelated here )
*does* always require authentification.

This might be a follow up of this thread:
   [http://osdir.com/ml/version-control.subversion.book/2008-06/msg00101.html]

but i could not find any follow up

Thanks.

BTW: i'm working with svnserve 1.5.1 (r32289) which is not the latest.

Also, i got a workaround for this, using something like this,
but still the issue about rule precedence is there.

   [/]
   harry = r
   ~harry = rw

And last. Thanks for subversion guys.

--
ycdtosa
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=1042176
Received on 2009-01-22 09:02:55 CET

This is an archived mail posted to the Subversion Dev mailing list.