[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Authz on Collection of Repositories (was: Expansion of authz policy name leak)

From: Mark Phippard <markphip_at_gmail.com>
Date: Fri, 2 Nov 2012 10:12:24 -0400

On Fri, Nov 2, 2012 at 10:09 AM, Ivan Zhakov <ivan_at_visualsvn.com> wrote:
>> So on a repository like the ASF or Wordpress where there are
>> a lot of top level folders then the server might have to do a fair
>> amount of work to process the request and return. I assume we do not
>> care about the content of the response, just the success or failure.
> We already use sub requests for authorization checks in repository
> folder listing and log.

Sure, but in those cases the user is looking in the repository. Just
speculating on a worst case scenario where you have 100 repositories
that are all like the Wordpress repository and how much work it would
be to bring up the list of repositories.

>> So I am just wondering if there is a lighter weight HTTP request we
>> could do that would still trigger the authz check? Something like
>> OPTIONS or PROPFIND. Whatever would make sense and be quick to
>> process.
> Another option is HEAD.

That sounds good to me.

Mark Phippard
Received on 2012-11-02 15:12:58 CET

This is an archived mail posted to the Subversion Dev mailing list.