[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Access control bug in SVN >= 1.5.3

From: Ewgenij Gawrilow <gawrilow_at_math.TU-Berlin.DE>
Date: Wed, 28 Jan 2009 15:11:37 +0100

Hello,

the bug I'm going to report must have been introduced somewhere between 1.5.3 and 1.5.5, as we've
noticed it after the upgrade of both client and server sides from 1.5.2 to 1.5.5.

For a repository, some users are granted full rw access from the root downwards, while other users
may access only specific subtrees in it. The access.conf looks like this:

@full = user1,user2

[Repo:/]
@full = rw

[Repo:/some/path/beneath]
otheruser = rw

Now this restricted user can check-out his working copy of /some/path/beneath without problem.
He can also make queries with `svn status -u' or `svn info http://URL' . But an attempt to make an
update of the working copy leads to the following mysterious message:

svn: Server sent unexpected return value (403 Forbidden) in response to
OPTIONS request for 'http://our.server/svn/Repo'

In the server log the following record appears:

Access denied: 'otheruser' OPTIONS Repo:/
Provider encountered an error while streaming a REPORT response. [500, #0]
A failure occurred while driving the update report editor [500, #190004]

It gives the impression that `svn update' tries to access something at the root of the repository,
which it formerly (<=1.5.2) did not need. (We have no external subsets in this repository).
If it is not a bug but a new feature, it effectively renders our permission scheme absolutely useless.

I'll appreciate any suggestions and short-term patches fixing the problem until the next release.
Thank you for your attention!

Ewgenij Gawrilow,
TU Berlin, Dept. of Mathematics

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=1063198
Received on 2009-01-28 15:41:01 CET

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.