[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Path-based authorization ignores most specific path

From: Bert Huijben <bert_at_qqmail.nl>
Date: Mon, 13 Apr 2015 09:50:06 +0200

> -----Original Message-----
> From: all-lists_at_stefan-klinger.de [mailto:all-lists_at_stefan-klinger.de]
> Sent: zondag 12 april 2015 12:47
> To: users_at_subversion.apache.org
> Subject: Path-based authorization ignores most specific path
>
> Hello!
>
> --Summary--
>
> Path-based authorization seems to not work as documented
> currently: The most specific path is *not* used.
>
> Version: server=1.6.17, client=1.8.8 or 1.8.13
>
> Might be a reincarnation of (closed?) Issue 3242:
>
> http://svn.haxx.se/users/archive-2010-01/0124.shtml
> http://subversion.tigris.org/issues/show_bug.cgi?id=3242
>
>
> --Description--
>
> The documentation says (for all versions since 1.5):
>
> The thing to remember is that the most specific path always
> matches first.
>
>
http://svnbook.red-bean.com/en/1.5/svn.serverconfig.pathbasedauthz.html
>
> I'm having the following lines concerning repository `proj` in my
> `access` file. As you can see, `/pub` should be publicly readable,
> but nothing else:
>
> Current access file contains:
>
> [groups]
> proj_staff = [...]
> proj_other = [...]
>
> [proj:/]
> @proj_staff = rw
> @proj_other = r
>
> [proj:/pub]
> * = r
> @proj_staff = rw
>
> [proj:/eval]
> @proj_other =
>
> [proj:/group]
> @proj_other = rw
>
> [proj:/group/foo]
> foo = rw
>
> The problem is:
>
> * I can *NOT* `svn co https://...proj/pub` without authentification.

For the record: I don't see anything in your config that you setup anonymous
authentication. Even with a * = r line some operations might still need to
know who you are, even though everybody has access to read.

For 1.8.x a checkout will retrieve inherited properties from all ancestor
directories of where you checked out (see release notes for the new features
that provides), so I'm not surprised that the client asks for your
credentials if you only provide access to those other directories if a user
is authenticated. (Not being able to read the properties is not an issue...
But the client will try to read them, which will produce a prompt)

If there is something on the server side related to your issue everybody
will recommend you to upgrade to a supported Subversion release first. We
only actively support the last revision and the one before that with
bugfixes, so that would be Subversion 1.8.x and 1.7.x. (and soon just 1.9.x
and 1.8.x).

        Bert
Received on 2015-04-13 09:50:41 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.