http MERGE authorization problem
From: Ben Collins-Sussman <sussman_at_collab.net>
Date: 2004-04-07 17:31:46 CEST
On the users list, Stuart has noticed a problem with mod_authz_svn.
http://www.contactor.se/~dast/svnusers/archive-2004-04/0391.shtml
In summary, Sander, CMike and I have boiled the problem down to this
1. a user has read access everywhere, and write access only on
2. the user tries to 'svn cp /baz /foo/bar/baz-branch'.
3. mod_authz_svn allows the MKACTIVITY unconditionally (we need to fix
4. mod_authz_svn allows the creation of /foo/bar/baz-branch, according
5. then a "MERGE /" request comes in, and authorization is denied, since
The problem here is step 5: libsvn_client is anchoring the commit on
Rather than look for anchor-target workarounds, I'm wondering if we
In theory (according to RFC), the URI to MERGE is a parent-dir of some
Therefore, I wonder if we just shouldn't make mod_authz_svn ignore the
Thoughts?
---------------------------------------------------------------------
|
This is an archived mail posted to the Subversion Dev mailing list.
This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.