Re: Authz on Collection of Repositories (was: Expansion of authz policy name leak)
From: Thomas ┼kesson <thomas_at_akesson.cc>
Date: Wed, 24 Oct 2012 00:08:41 +0200
On 23 okt 2012, at 14:22, roderich.schupp_at_gmail.com wrote:
> I'm working on the patch to list only readable repositories. There is
Thanks Ivan for looking into it. Let's see if it is feasible to address.
> Please keep in mind that the problem is not restricted to parent-path collections
Are you saying that SVN 1.7 always allows browsing the root but it is empty when the user lacks authz? When I follow a link from the parentpath repository list into a repository where I do not have access, I get a 403.
Perhaps it is possible to confirm the existence of a repository by specifically requesting the head revision from arbitrary repository names. That is not ideal but requires significantly more determination to figure out than just looking at a list.
This is an archived mail posted to the Subversion Dev mailing list.