Re: Authz on Collection of Repositories
From: Thomas ┼kesson <thomas.akesson_at_simonsoft.se>
Date: Sun, 11 Nov 2012 23:28:18 +0100
On 9 nov 2012, at 18:45, Ivan Zhakov wrote:
> On Thu, Nov 8, 2012 at 6:49 PM, Thomas ┼kesson
Yes, I am just trying to cover all bases including the possibility that people are depending on the inconsistency that we are addressing.
I have tested both with and without your patch. As expected, the patch has no impact on the AuthzSVNAnonymous issue.
There seems to be an issue when "AuthzSVNAnonymous Off" is combined with "Satisfy Any"; opens up the fort completely. Neither authn nor authz is required.
I think the problem is with access_checker, perhaps this part (has changed a few times during the years):
I am not quite sure how a DECLINE manages to bypass "Require valid-user" though. I understand how an OK would though.
>> - What is going on with AuthzSVNAnonymous Off? I will do more analysis of the
Confirmed as far as my testing goes (did not test short_circuit). I suggest committing the patch with GET subrequest and potentially change all to HEAD in a separate commit if there is consensus.
This is an archived mail posted to the Subversion Dev mailing list.