Re: [Issue 2662] authz with wildcards - What if it's ambiguous?

On Tue, Nov 13, 2007 at 04:55:55PM -0600, Luis Rodrigo Gallardo Cruz wrote:
> Another issue that must be solved is that several entries can apply to
> the same path. I propose the following rules in order to disambiguate:
>
> - Repo specific trumps pan-repo
> - More path components trump less
> - Less wildcards trump more
 
I've realized these rules will not work. If we had the following:

[/*/b]
 u1 = rw

[/a/*]
 u1 = r

[/a/?]
 u1 =

What are the propper permissions to grant u1 when he tries to access '/a/b' ?

The people I'm doing this for came up with the idea of having order of
declaration decide. For this, I'd have to save that order somewhere. I
tought about adding a field to the conf_section struct and fill it up
when reading the file. Would a patch doing that be acceptable?

If I do that, then the rules would be resolved as follows:

Given _repo_, _path_:

 1. Is there a rule without wildcards for _repo_:_path_? That rules gives our
    permissions. Else,
 2. Are there rules with wildcards that matches _repo_:_path_? Take the first
    of those in declaration order, that rule gives our permissions. Else,
 3. If _path_ != '/', strip the last component, return to 1.

 4. If we haven't found an access rule yet, revert _path_ to the
 original and try 1., 2., 3. with pan-repo rules.

 5. If we found no rule, deny access.

Comments?

-- 
Rodrigo Gallardo
GPG-Fingerprint: 7C81 E60C 442E 8FBC D975  2F49 0199 8318 ADC9 BC28