On 23.10.2012 13:48, Stefan Sperling wrote:
> On Tue, Oct 23, 2012 at 04:29:51PM +0400, Ivan Zhakov wrote:
>>>> I'm working on the patch to list only readable repositories. There is
>>>> already TODO comment in the code by cmpilato:
>>>> /* ### TODO: We could test for readability of the root
>>>> directory of each repository and hide those that
>>>> the user can't see. */
>> I'm going to create small patch to just fix this problem and probably
>> refactor later in separate commit.
> What about users who are allowed to see a subtree of the repository but
> not the root? Shouldn't such users be allowed to list the repository?
Maybe. The access grants involved are usually called "directory
traversal" and "directory read". Anyone who has any kind of at least
read access to any subtree in the repository should implicitly have
permission to traverse the tree to the root of that subtree, but not to
list directory contents.
What you're suggesting means that directory traversal permission on the
repository root implies partial, non-inheritable directory read
permission on the virtual one level above root. We could treat this as
an exception to an otherwise more usual permission model.
The trouble I see with modelling this is that, in most access control
models, the name of a node is a property of its parent, not of the node;
therefore, "read" permission for a directory implies being allowed to
list the names of all its children, but not their attributes (e.g., in
this case, the HEAD revision of each repository). I'd actually prefer to
stick with a more or less standard access control model than invent our own.
Certified & Supported Apache Subversion Downloads:
Received on 2012-10-23 15:08:43 CEST