On 04/12/2010 07:49 PM, C. Michael Pilato wrote:
> kameshj_at_apache.org wrote:
>
>> Author: kameshj
>> Date: Mon Apr 12 11:26:28 2010
>> New Revision: 933194
>>
>> URL: http://svn.apache.org/viewvc?rev=933194&view=rev
>> Log:
>> [issue2753] Fix issue 2753.
>>
>> Relax requests aimed at the repo Parent path from authz control.
>>
>> * subversion/mod_authz_svn/mod_authz_svn.c
>> (create_authz_svn_dir_config): Canonicalize conf->base_path.
>> (req_check_access): When canonicalized 'uri' and 'conf->base_path' are same
>> allow the request.
>> (access_checker, check_user_id, auth_checker):
>> Initialize repos_path to 'NULL' otherwise it can point
>> to stray values when req_check_access relaxes certain requests without
>> initialising the out parameters.
>>
> In a perfect world, I would expect that requests to the parent directory
> would not be authz-denied, but that each repository in the listing of
> repositories would be authz-checked against the authz configuration. In
> other words, say I have a parent-path with three repositories: calc, watch,
> lamp. And say I have an authz file like so:
>
> [lamp:/]
> * =
>
> I would expect that a request to the parent directory would yield a listing
> that included the 'calc' and 'watch' repositories, but not the 'lamp' one.
>
> Is that the case?
>
>
No.
These authz rule should *not* list anything inside the repo 'lamp' but
not lamp itself when requested for the parent path root.
The feature that you ask for is possible only if 'mod_dav_svn'(which
implements SVNListParentPath) consults mod_authz_svn(or some authorizer)
for every item listed which is not the case today.
With regards
Kamesh Jayachandran
Received on 2010-04-12 16:46:35 CEST