[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svn commit comment for "svn log <file>" is not shown, if the commit includes any files I don't have read access for

From: Julian Foad <julian.foad_at_wandisco.com>
Date: Mon, 30 Nov 2009 16:38:55 +0000

On Mon, 2009-11-30 at 11:21 -0500, C. Michael Pilato wrote:
> Monty wrote:
> > Hi svn-dev,
> >
> > I got stuck on a problem with "svn log" that firstly made no sense :)
> > But after figuring out how the "svn log" works, I would kindly request
> > an improvement request in a border case.
> >
> > Scenario:
> >
> > Within 1 repository, there are 2 folders: A & B.
> > Kate has access to A & B [let's say rw], John has access to B only.
> >
> > Now Kate makes a commit [let's say revision 5] that modifies files in
> > both folders: A/foo and B/bar. Being a pragmatic programmer she is, she
> > of course provides a commit message.
> >
> > Now whichever way Kate checks revision history, everything is ok.
> > However when John checks revision history [for the file visible for him,
> > i.e. B/bar], he does see the commit message. He does see the revision
> > [5], but not the message Kate carefully worded.
> >
> > The command John executed was "svn log --username john
> > https://svn-repository/B/foo". And to sysadmins' surprise, Apache error
> > log showed: "Access denied: 'john' GET svn-repository:/A/foo
> >
> > So... to sum it up:
> > * John does see all his commit comments
> > * John also sees Kate's commit comments, if her particular commit only
> > touched B].
> > * If there's a commit by Kate that involves A & B, John does not see the
> > comment for that particular commit.
> >
> > It seems there is an assumption that if you have permissions to view a
> > file in a specific commit, you can see all files in the commit. In our
> > use case this is not (and can't be made) true.
> It might be because I'm reading the above incorrectly, but I don't think
> you've expressed the correct assumption that Subversion makes.
> The assumptions that Subversion makes are these:
> * A file whose contents are unreadable by user X might also have a
> pathname that user X shouldn't be allowed to see.
> * A log message in which paths A and B are changed might actually mention
> paths A and B by potentially-sensitive name.

I think Subversion's assumption is based not only on a concern about the
paths, but also on a concern that the log message is likely to talk
about the content of the files that X shouldn't be allowed to see, so X
shouldn't be allowed to read the message.

- Julian

> When you combine the assumptions, you understand Subversion's behavior.
> John isn't allowed to see any paths in A. Kate's commit to both A and B
> might mentioned paths in B. Therefore, John shouldn't see Kate's commit log.
> --
> C. Michael Pilato <cmpilato_at_collab.net>
> CollabNet <> www.collab.net <> Distributed Development On Demand
> ------------------------------------------------------
> http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=2425543
> Please start new threads on the <dev_at_subversion.apache.org> mailing list.
> To subscribe to the new list, send an empty e-mail to <dev-subscribe_at_subversion.apache.org>.


Please start new threads on the <dev_at_subversion.apache.org> mailing list.
To subscribe to the new list, send an empty e-mail to <dev-subscribe_at_subversion.apache.org>.
Received on 2009-11-30 17:39:18 CET

This is an archived mail posted to the Subversion Dev mailing list.