On Mon, 2009-11-30 at 11:21 -0500, C. Michael Pilato wrote:
> Monty wrote:
> > Hi svn-dev,
> >
> > I got stuck on a problem with "svn log" that firstly made no sense :)
> > But after figuring out how the "svn log" works, I would kindly request
> > an improvement request in a border case.
> >
> > Scenario:
> >
> > Within 1 repository, there are 2 folders: A & B.
> > Kate has access to A & B [let's say rw], John has access to B only.
> >
> > Now Kate makes a commit [let's say revision 5] that modifies files in
> > both folders: A/foo and B/bar. Being a pragmatic programmer she is, she
> > of course provides a commit message.
> >
> > Now whichever way Kate checks revision history, everything is ok.
> > However when John checks revision history [for the file visible for him,
> > i.e. B/bar], he does see the commit message. He does see the revision
> > [5], but not the message Kate carefully worded.
> >
> > The command John executed was "svn log --username john
> > https://svn-repository/B/foo". And to sysadmins' surprise, Apache error
> > log showed: "Access denied: 'john' GET svn-repository:/A/foo
> >
> > So... to sum it up:
> > * John does see all his commit comments
> > * John also sees Kate's commit comments, if her particular commit only
> > touched B].
> > * If there's a commit by Kate that involves A & B, John does not see the
> > comment for that particular commit.
> >
> > It seems there is an assumption that if you have permissions to view a
> > file in a specific commit, you can see all files in the commit. In our
> > use case this is not (and can't be made) true.
>
> It might be because I'm reading the above incorrectly, but I don't think
> you've expressed the correct assumption that Subversion makes.
>
> The assumptions that Subversion makes are these:
>
> * A file whose contents are unreadable by user X might also have a
> pathname that user X shouldn't be allowed to see.
>
> * A log message in which paths A and B are changed might actually mention
> paths A and B by potentially-sensitive name.
I think Subversion's assumption is based not only on a concern about the
paths, but also on a concern that the log message is likely to talk
about the content of the files that X shouldn't be allowed to see, so X
shouldn't be allowed to read the message.
- Julian
> When you combine the assumptions, you understand Subversion's behavior.
> John isn't allowed to see any paths in A. Kate's commit to both A and B
> might mentioned paths in B. Therefore, John shouldn't see Kate's commit log.
>
> --
> C. Michael Pilato <cmpilato_at_collab.net>
> CollabNet <> www.collab.net <> Distributed Development On Demand
>
> ------------------------------------------------------
> http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=2425543
>
> Please start new threads on the <dev_at_subversion.apache.org> mailing list.
> To subscribe to the new list, send an empty e-mail to <dev-subscribe_at_subversion.apache.org>.
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=2425556
Please start new threads on the <dev_at_subversion.apache.org> mailing list.
To subscribe to the new list, send an empty e-mail to <dev-subscribe_at_subversion.apache.org>.
Received on 2009-11-30 17:39:18 CET