[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

[PATCH] Non-recursive directory access for mod_authz_svn

From: Azimuth <azimuth_at_sanctuary.org>
Date: 2005-04-11 19:59:35 CEST

Allows an administrator to specify that a directory may be read without
giving access to its contents.

The new configuration option gets its name from the unix 'execute'
permission, which performs a similar function when applied to
directories. It is useful for situations when a user may need access to
a subdirectory, but should not have access to anything else within that
directory. While directories may be excluded individually, without
this option, the access of new directories would have to be set by the
administrator - an undue burden when the repository is shared by many teams.

This access file allows the manager to read everything, the head coder
to read and write everything, but the foo coders and bar coders can only
see their own project and the libraries directory:

[/]
@foocoders = x
@barcoders = x
manager = r
headcoder = rw

[/libraries]
@foocoders = r
@barcoders = r

[/project-foo]
@foocoders = rw

[/project-bar]
@barcoders = rw

* subversion/mod_authz_svn/mod_authz_svn.c
  (enum): AUTHZ_SVN_EXECUTE flag added
  (enum): AUTHZ_SVN_RECURSIVE value changed to make room
  (parse_authz_line): read privilege now implies execute
  (parse_authz_line): execute access added to allow and deny values
  (check_access): while checking the path above the current repos path,
  the execute access requirement is removed when the access is not
  immediately determined
  (req_check_access): The following methods now require execute privileges:
  M_OPTIONS, M_GET, M_PROPFIND, M_REPORT, M_MKCOL, M_PUT, M_PROPPATCH,
  M_CHECKOUT, M_MERGE, M_MKACTIVITY

diff -ru subversion-1.1.4/subversion/mod_authz_svn/mod_authz_svn.c subversion-1.1.4-private/subversion/mod_authz_svn/mod_authz_svn.c
--- subversion-1.1.4/subversion/mod_authz_svn/mod_authz_svn.c 2004-10-16 16:30:45.000000000 -0500
+++ subversion-1.1.4-private/subversion/mod_authz_svn/mod_authz_svn.c 2005-04-11 12:20:54.000000000 -0500
@@ -42,7 +42,8 @@
     AUTHZ_SVN_NONE = 0,
     AUTHZ_SVN_READ = 1,
     AUTHZ_SVN_WRITE = 2,
- AUTHZ_SVN_RECURSIVE = 4
+ AUTHZ_SVN_EXECUTE = 4,
+ AUTHZ_SVN_RECURSIVE = 8
 };
 
 typedef struct {
@@ -145,7 +146,7 @@
     }
 
     if (ap_strchr_c(value, 'r')) {
- b->allow |= AUTHZ_SVN_READ;
+ b->allow |= AUTHZ_SVN_READ|AUTHZ_SVN_EXECUTE;
     }
     else {
         b->deny |= AUTHZ_SVN_READ;
@@ -158,6 +159,13 @@
         b->deny |= AUTHZ_SVN_WRITE;
     }
 
+ if (ap_strchr_c(value, 'x')) {
+ b->allow |= AUTHZ_SVN_EXECUTE;
+ }
+ else {
+ b->deny |= AUTHZ_SVN_EXECUTE;
+ }
+
     ap_log_perror(APLOG_MARK, APLOG_DEBUG, 0, b->pool,
                   "%s = %s => allow = %i, deny = %i",
                   name, value, b->allow, b->deny);
@@ -259,6 +267,7 @@
 {
     const char *base_name;
     const char *original_repos_path = repos_path;
+ int required = required_access;
     int access;
 
     if (!repos_path) {
@@ -271,13 +280,15 @@
 
     base_name = repos_path;
     while (!parse_authz_lines(cfg, repos_name, repos_path,
- user, required_access, &access,
+ user, required, &access,
                               pool)) {
         if (base_name[0] == '/' && base_name[1] == '\0') {
             /* By default, deny access */
             return 0;
         }
 
+ required &= ~AUTHZ_SVN_EXECUTE;
+
         svn_path_split(repos_path, &repos_path, &base_name, pool);
     }
 
@@ -330,7 +341,7 @@
     case M_GET:
     case M_PROPFIND:
     case M_REPORT:
- authz_svn_type |= AUTHZ_SVN_READ;
+ authz_svn_type |= AUTHZ_SVN_READ|AUTHZ_SVN_EXECUTE;
         break;
 
     /* All methods requiring write access to all subtrees of r->uri */
@@ -345,7 +356,7 @@
     case M_CHECKOUT:
     case M_MERGE:
     case M_MKACTIVITY:
- authz_svn_type |= AUTHZ_SVN_WRITE;
+ authz_svn_type |= AUTHZ_SVN_WRITE|AUTHZ_SVN_EXECUTE;
         break;
 
     default:

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Apr 11 22:47:45 2005

This is an archived mail posted to the Subversion Dev mailing list.