Re: Authz on Collection of Repositories (was: Expansion of authz policy name leak)

From: Mark Phippard <markphip_at_gmail.com>
Date: Fri, 2 Nov 2012 10:12:24 -0400

On Fri, Nov 2, 2012 at 10:09 AM, Ivan Zhakov <ivan_at_visualsvn.com> wrote:
>> So on a repository like the ASF or Wordpress where there are
>> a lot of top level folders then the server might have to do a fair
>> amount of work to process the request and return. I assume we do not
>> care about the content of the response, just the success or failure.
>>
> We already use sub requests for authorization checks in repository
> folder listing and log.

Sure, but in those cases the user is looking in the repository. Just
speculating on a worst case scenario where you have 100 repositories
that are all like the Wordpress repository and how much work it would
be to bring up the list of repositories.

>> So I am just wondering if there is a lighter weight HTTP request we
>> could do that would still trigger the authz check? Something like
>> OPTIONS or PROPFIND. Whatever would make sense and be quick to
>> process.
>>
> Another option is HEAD.

That sounds good to me.

-- 
Thanks
Mark Phippard
http://markphip.blogspot.com/

Received on 2012-11-02 15:12:58 CET

This message: [ Message body ]
Next message: C. Michael Pilato: "Re: maunal WC upgrade test fallout"
Previous message: Ivan Zhakov: "Re: Authz on Collection of Repositories (was: Expansion of authz policy name leak)"
In reply to: Ivan Zhakov: "Re: Authz on Collection of Repositories (was: Expansion of authz policy name leak)"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]