On 16.01.2015 08:06, Tom Ghyselinck wrote:
> Hi,
>
> We are using subversion 1.8.8 (r1568071) server on Ubuntu 14.04.
>
> I need to add "$authenticated" to the group since this is required for
> our company generic group definitions.
I'm having a hard time understanding this requirement. Any concrete user
or group you mention in a rule will only take effect for authenticated
connections anyway.
> We created an authz file with group definitions as follows:
>
> [groups]
> myreaders = $authenticated
>
> [/]
> * =
>
> [/path1]
> $authenticated = r
>
> [/path2]
> @myreaders = r
>
> [/path3]
> # I know, this is actually a user definition
> myreaders = r
>
>
> It looks like it is not possible or not allowed to add the
> "$authenticated" token to a group definition:
> - Using it in /path1 is fine (as documented)
> - I expect it also to work in /path2, but it's not.
>
> $ /usr/bin/svnauthz accessof --username=someuser --path=/path1
> ~/test.authz
> r
>
> $ /usr/bin/svnauthz accessof --username=someuser --path=/path2
> ~/test.authz
> no
>
> $ /usr/bin/svnauthz accessof --username=someuser --path=/path3
> ~/test.authz
> no
>
> $ /usr/bin/svnauthz accessof --username=myreaders --path=/path1
> ~/test.authz
> r
>
> $ /usr/bin/svnauthz accessof --username=myreaders --path=/path2
> ~/test.authz
> no
>
> $ /usr/bin/svnauthz accessof --username=myreaders --path=/path3
> ~/test.authz
> # (Here it matches the "user" myreaders)
> r
>
>
> I couldn't find any documentation whether or not it is possible and/or
> allowed.
If you read
http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html
you'll find that you can define groups that contain users, aliases and
other groups. $authenticated and $anonymous are magic tokens that do not
belong to any of those categories.
The point is that group memberships are completely defined when the
authz file is parsed, but $authenticated and $anonymous do not refer to
users but to connection states when the authorization check is being done.
> Can someone confirm if this is expected to work or not?
It is not expected to work.
> If not, is there a workaround to add "$authenticated" to a group?
You don't need a workaround. Just change your configuration like this,
for example:
[/path2]
@myreaders = r
$authenticated = r
But, as I said above: this is redundant. The "@myreaders=r" entry only
takes effect if the connection is authenticated; if it's an anonymous
connection, there's no user name and therefore no group membership, so
you may as well omit the "@myreaders=r" entry from the authz rule.
-- Brane
Received on 2015-01-16 10:58:21 CET