On Tue, May 24, 2016 at 08:40:29AM +0000, Phil Crooker wrote:
> Newbie question - I have authenticated users with read or r/w access are unable to view logs, eg:
>
>
> # svn --username whatever --password xxxxx svn://svn/repos/project/yada.txt
>
> svn: Item is not readable
>
> I must grant anonymous read access in authz and then it works:
>
>
> [/]
>
> * = r
>
>
> I've seen this reported earlier but no answer:
>
>
> http://svn.haxx.se/users/archive-2011-02/0141.shtml
>
> http://stackoverflow.com/questions/6651997/svn-show-log-not-working
>
>
> My question is why can't an authenticated user who has rights see the logs?
Hi Phil,
The use case scenario behind the design of the authz feature is the following:
Imagine you're setting up a competition, where teams apply to compete
and write some piece of software for you based on a specification.
Your competition has the following contraints:
- No team should be aware of who else is competing.
- You're hosting all competing teams in a single repository.
In this scenario, the following information must be protected:
- file content
- the knowledge of which paths exist in the repository
- the knowledge of which authors make commits to the repository
'svn log' shows always the author name, and the list of changed paths
is available with 'svn log -v'. And because log messages are free-form,
they may contain content which would leak such information.
For example, developers might refer to each other in log messages
("Review by: Robert") or they might refer to paths in the repository
("team1/project1/main.c: Fix crash with --help option.")
That's why, if any path in the changed paths list of a revision is
forbidden to the authenticated user, the *entire* information which
would be provided by 'svn log' is hidden from that user.
I suspect that, in your scenario, SVN denies access to the revision
log based on the above reasoning.
Received on 2016-05-30 12:57:56 CEST