On 28.07.2014 19:19, stefan2_at_apache.org wrote:
> Author: stefan2
> Date: Mon Jul 28 17:19:47 2014
> New Revision: 1614080
>
> URL: http://svn.apache.org/r1614080
> Log:
> On the authzperf branch: Implement the notion of path rule ordering
> by making svn_config_t iterate through sections in declaration order.
> This is done using a simple linked list because we can't remove
> sections but only add them.
No no no no!
Changing the svn_config_t structure is /not/ the right to do this. The
correct approach here is to parametrise the svn_config parser with a
constructor method, then create a new constructor for the authz parser
which will then get all entries in the file order. Please revert these
svn_config changes.
> Without support for wildcards or other patterns, the config struct
> will only contain a single section for each path. With wildcards,
> there may be more than one. All three of the follwing path rules
> are equally applicable:
>
> [/foo/*.doc]
> * = r
>
> [/foo/bar.*]
> * = rw
>
> [/foo/bar.doc]
> jrandom =
>
> To make conflicts managable, always pick the last path rule. That
> means users should specify general rules first, followed by exceptions
> and finally (and optionally) critical rules that deny certain access,
> potentially globally.
Are you saying that a wildcard path should match before a concrete path
when it happens to appear later in the authz file? Perish the thought.
Exact matches should always override fuzzy matches, anything else is not
intuitive at all and we'll receive a ton of spurious bug reports about
how authz files don't work.
Precedence ordering is fine between identical exact matches or between
equivalent wildcard matches for the same path, but not between these two
categories.
-- Brane
--
Branko Čibej | Director of Subversion
WANdisco | Realising the impossibilities of Big Data
e. brane_at_wandisco.com
Received on 2014-07-28 19:39:45 CEST