[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Anonymous access to root of edit operation fails ( was RE: Problem with SVN & Windows )

From: Lieven Govaerts <lgo_at_mobsol.be>
Date: 2006-02-26 22:07:02 CET

Hi Michael,

> -----Original Message-----
> From: Michael Hertling [mailto:hertling@ikp.tu-darmstadt.de]
>
...
>
> (4) Nothing for [/] in authz and 'anon-access=read' in svnserve.conf:
> --> Challenge for authentication and failure with the line:
> "svn: Not authorized to open root of edit operation"
>
> To me, cases (1-3) seem to be absolutely correct, but case
> (4) - imho - reveals erroneous behaviour: Even if anonymous
> access is prohibited by the default effect of the authz file,
> i.e. no access at all, svnserve should be able to perform the
> requested checkout when it receives a valid authentication.
> Moreover, svn leaves an empty working directory with just the
> .svn subdirectory in it; normally, it doesn't do that if an
> authentication simply fails.

I was a bit surprised by this behaviour, so I stepped through the code to
check what exactly happens ( code on svn trunk, but I think behaviour is the
same as svn 1.3 ). I checked read behaviour by doing an update of the trunk
folder of my test repository.

Authentication works in three steps:
1. Repository wide check, will allow anonymous access if possible, otherwise
request credentials. This check is based purely on the anon-access property.
2. Opens the root folder of your request ( not the root of the repository!
). If anon-access=read but path-based authz fails, no credentials are asked!
3. CD's recursively in the subfolders. If anonymous access fails for one of
these folders, request credentials. That user will be used for all other
authz checks.

Step 2 is the check which fails with an 'Not authorized to open root of edit
operation' error. I'm not sure why it isn't asking for credentials here. I
suppose it should, because the current result is that an action on a working
copy fails or succeeds depending on which folder you start the action.
I try to get some more information whether or not this is expected behaviour
( but I'm already working on another authz issue, so this might take some
time ).

I think this is not only Windows specific either, just a consequence of the
new path-based authz mechanism in svn 1.3 .
> > [..] You have to give users
> > read rights on the root of your repository of you want to
> allow them
> > write access somewhere deeper in the repository ( bug in
> svnserve 1.3 )!
>
> Is that bug perhaps related to the behaviour mentioned above?
> The user in case (4) has full access to the whole repository,
> and the failure already appears at the checkout, i.e. reading stage.

The bug I was talking about is issue 2486, it only shows up in the commit
stage.

Lieven.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Sun Feb 26 22:13:36 2006

This is an archived mail posted to the Subversion Users mailing list.