Re: [Issue 2662] authz with wildcards - About recursive access.

From: Luis Rodrigo Gallardo Cruz <rodrigo_at_nul-unu.com>
Date: 2007-11-15 19:42:43 CET

On Tue, Nov 13, 2007 at 04:55:55PM -0600, Luis Rodrigo Gallardo Cruz wrote:
> http://subversion.tigris.org/servlets/ReadMsg?listName=dev&msgNo=115400
>
> I saw in that thread that there was a question about recursive use. If
> I understood the objection, the problem is how to resolve a pattern
> such as */tags. My answer to that will be to completely punt the
> issue, and only allow absolute paths to have wildcards.

I see I can't really punt this.

How about the following algorithm for determining tree access:

Given _path_:
1. Determine normal access for _path_.

2. If access allowed, for each rule in the config:

2.1. Is _path_ a prefix of something that could match rule?
2.2. Would rule diminish our access?
2.3. If 2.1 && 2.2, walk the repo and see if there actually *exists*
a path inside that matches the rule. If access is now completely
denied, finish. Else, try next rule.

The idea is to avoid the potentialy expensive repo walk in 2.3

As for 2.1, is the following correct?

Given _glob_, _path_,

1. return true if glob matches path
2. return false if glob = '/' or ''
3. strip last component from glob, goto 1

-- 
Rodrigo Gallardo
GPG-Fingerprint: 7C81 E60C 442E 8FBC D975  2F49 0199 8318 ADC9 BC28

application/pgp-signature attachment: Digital signature

Received on Thu Nov 15 19:43:00 2007

This message: [ Message body ]
Next message: Hyrum K. Wright: "Re: SVN 1.5 Release -- Where are we?"
Previous message: Hyrum K. Wright: "Re: [Issue 3010] New - svn log -g gives inconsistent merge info"
In reply to: Luis Rodrigo Gallardo Cruz: "Re: [Issue 2662] authz with wildcards"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]