[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Ev2 and Authz

From: Thomas Åkesson <thomas_at_akesson.cc>
Date: Mon, 16 Apr 2012 17:51:51 +0200

On 16 apr 2012, at 15:12, C. Michael Pilato wrote:

> On 04/14/2012 11:00 AM, Hyrum K Wright wrote:
>> Good morning (in some parts of the world)!
>>
>> I've been doing some poking around with Ev2 and copy operations on the
>> ev2-export branch, and have some observations which merit discussion.
>>
>> In the working copy and elsewhere, all versioned nodes map to a
>> repos_relpath, and I've found it greatly simplifies things if we use
>> that repos relpath in Ev2 operations. Since an Ev2 drive doesn't need
>> to be "anchored" anywhere, using the repos_relpath in this way is
>> analogous to using local_abspaths throughout the working copy, giving
>> every node a single canonical name.
>>
>> However, this has implications in the world of the dreaded issue 3242.
>> For instance, if a session is parented at the root, where the user
>> cannot write, then executes write operations somewhere deep in the
>> tree, where the user does have write privileges, we will produce
>> errors. This is obviously non-sensical and undesirable.
>>
>> If somebody can write to /A/B/C/D, they should be able to open an
>> ra_session to any of the parents and write to their allowable paths
>> without consequence. I know this problem has been known for some
>> time; has anybody looked at what it would take to solve it?
>
> Hyrum, I begun some work on the authz-overhaul branch aimed at fixing this,
> but never made much progress there. My approach was simple: bifurcate the
> "read" permission into "read" and "exist", where "exist" meant "You can know
> this thing exists and behave accordingly, but you still can't read its
> contents." This would not be a user-visible permission -- just an
> implementation detail. Both "read" and "write" permissions imply having
> "exist" permission. And the rule is, "If you can know N exists, you can
> know that all of N's parents exist."
>
> CollabNet's modified ViewVC in its Enterprise Edition product implemented
> this sort of functionality, and the result was that users could always see
> the root directory, and any paths inside it necessary to navigate down to a
> path to which they had explicit read permission. Very, very handy.

Agree, very handy. We produce a CMS based on Svn and this is exactly what we wish for. If a user has the URL to /A/B/C/D, he basically already knows about the parents.

I have not had time to follow the Inherited Properties thread completely, but this is kind of related. One could argue that if a user knows about the URL to /A/B/C/D, then what is the harm in letting him read the properties of the parent directories? A significant simplification at the cost of not being able to store secret stuff in directory properties (file properties would still be safe).

 
Received on 2012-04-16 17:52:26 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.