[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: SVN-DEV HELP NEEDED: What to do about the ra-get-log interface

From: C. Michael Pilato <cmpilato_at_collab.net>
Date: Tue, 03 Jun 2008 15:16:23 -0400

Karl Fogel wrote:
> "C. Michael Pilato" <cmpilato_at_collab.net> writes:
>>> Why should access restrictions prevent someone from merely anchoring an
>>> RA session at a particular URL, and then running log requests based from
>>> that anchor? The access controls should, of course, limit what
>>> responses come back from the request, but I don't see why they should
>>> prevent what Martin assumes "might not be permissible".
>> Consider a situation in which mod_dav_svn (not mod_authz_svn) is
>> configured to disallow any read access to paths outside of /trunk.
>> Before Subversion even gets the chance to field a log REPORT request
>> aimed at the root of the repository, mod_dav_svn prevents the request
>> from succeeding.
>
> That's what I'm questioning. Why does mod_dav_svn behave like this?
> Because it's easier to implement?

Does it have a choice?

I think we're thinking of different deployment scenarios. I'm talking about
something like:

   <Location /repo>
     DAV svn
     SVNPath /var/svn/repo
     ### bits that disallow access here
   </Location>
   <Location /repo/trunk
     ### bits that allow access to trunk here
   </Location>

IIUC, a request to /repo (or to /repo/something-not-trunk) wouldn't even get
to mod_dav_svn for processing because it fails the higher-level Apache authz
requirements.

I'm not saying its a sane configuration, of course. But prior to
mod_authz_svn being created, it was through Apache configury like this that
we instructed folks to do their access control.

-- 
C. Michael Pilato <cmpilato_at_collab.net>
CollabNet   <>   www.collab.net   <>   Distributed Development On Demand

Received on 2008-06-03 21:16:39 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.