[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svn commit: r1621387 - in /subversion/branches/authzperf/subversion/libsvn_repos: authz.c authz.h authz_parse.c

From: Stefan Fuhrmann <stefan.fuhrmann_at_wandisco.com>
Date: Sat, 30 Aug 2014 21:37:56 +0200

On Sat, Aug 30, 2014 at 1:42 AM, Branko Čibej <brane_at_wandisco.com> wrote:

> On 29.08.2014 23:03, stefan2_at_apache.org wrote:
> Author: stefan2
> Date: Fri Aug 29 21:03:25 2014
> New Revision: 1621387
> URL: http://svn.apache.org/r1621387
> Log:
> On the authzperf branch: Make /**/ segments match empty paths, i.e. zero
> segments, as well. That is in line with what e.g. zsh globbing does as well.
> This is contrary to what's written in the design doc in the wiki.

Yes, it is.

Friday afternoon during the SHF hackathon, I had a short discussion with
Ben and Justin. We discovered that the glob path matchers that we could
find (I remember zsh), would make "**" match empty paths by default.

Seeing now how small the difference in the parsing and matching code is,
we could even decide to make that behaviour an option. I don't suggest it
ATM because using wildcards correctly will already be challenging to
inexperienced admins (= 100% after the initial release) and behavioural
options may make discussions on users@ much harder.

It also invalidates the wildcard normalization rules defined in that doc
> (and implemented by the parser), making the wildcard semantics
> inconsistent. For example, the rule that a trailing /** should be converted
> to a /* clearly no longer works after this change

As it turned out "**" is a much more powerful pattern than it may appear.
The reason is the difference between a rule_matching_ a path and its
ACL just applying by default to the respective sub-tree.

That means "/foo/**" matches all paths below "/foo" _individually_ (and
since 1621387 /foo itself), overriding any previous definitions and
a following "/foo/bar" rule to exactly that node. So, normalizing trailing
"/**" to just "/*" as per my original design has always been wrong.
Fixed in r1621521.

> Please update the doc and make the design consistent before implementing
> major semantic changes.

I updated the wiki page now to make it match the code again, updated
terminology to make it match your API and (hopefully) addressed the
comments to had on the page. I left the comments in for you to review.

-- Stefan^2.
Received on 2014-08-30 21:38:29 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.