Re: Authz on Collection of Repositories

From: Thomas Åkesson <thomas.akesson_at_simonsoft.se>
Date: Wed, 14 Nov 2012 23:38:38 +0100

On 14 nov 2012, at 11:53, Ivan Zhakov <ivan_at_visualsvn.com> wrote:

>>>
>>> Confirmed as far as my testing goes (did not test short_circuit). I suggest
>>> committing the patch with GET subrequest and potentially change all to
>>> HEAD in a separate commit if there is consensus.
>> Committed in r1408184.
> I doubt about backporting this fix to 1.7.x.
>
> Pro:
> * This is regression from 1.6.x: It was possible to restrict access
> to "Collection of Repositories" by controlling access to [/], while
> access to individual repositories were controlled by [repoN:/]. This
> might not have been by design, bit still a very useful feature.
>
> * We already ported similar fix to hide unreadable dirs to 1.6.x (r996884)
>
> Cons:
> * Security behavior changes in patches is not good thing from my point view
>
>
> Any opinions?

I think it makes sense to release in 1.8 (no backport). Provides a better opportunity to explain the change. Admins on 1.6 who can not have open access to Collection of Repositories will have to skip 1.7.

I can try to draft something for the change notes, next week.

/Thomas Å.
Received on 2012-11-14 23:39:14 CET

This message: [ Message body ]
Next message: Greg Stein: "Re: [serf-dev] Re: Double compression over HTTPS"
Previous message: Greg Stein: "Re: fork/exec for hooks scripts with a large FSFS cache"
In reply to: Ivan Zhakov: "Re: Authz on Collection of Repositories"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]