[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: view log problem with path authorization

From: Stefan Sperling <stsp_at_elego.de>
Date: Mon, 30 May 2016 12:57:40 +0200

On Tue, May 24, 2016 at 08:40:29AM +0000, Phil Crooker wrote:
> Newbie question - I have authenticated users with read or r/w access are unable to view logs, eg:
>
>
> # svn --username whatever --password xxxxx svn://svn/repos/project/yada.txt
>
> svn: Item is not readable
>
> I must grant anonymous read access in authz and then it works:
>
>
> [/]
>
> * = r
>
>
> I've seen this reported earlier but no answer:
>
>
> http://svn.haxx.se/users/archive-2011-02/0141.shtml
>
> http://stackoverflow.com/questions/6651997/svn-show-log-not-working
>
>
> My question is why can't an authenticated user who has rights see the logs?

Hi Phil,

The use case scenario behind the design of the authz feature is the following:

Imagine you're setting up a competition, where teams apply to compete
and write some piece of software for you based on a specification.
Your competition has the following contraints:
 - No team should be aware of who else is competing.
 - You're hosting all competing teams in a single repository.

In this scenario, the following information must be protected:
 - file content
 - the knowledge of which paths exist in the repository
 - the knowledge of which authors make commits to the repository

'svn log' shows always the author name, and the list of changed paths
is available with 'svn log -v'. And because log messages are free-form,
they may contain content which would leak such information.
For example, developers might refer to each other in log messages
("Review by: Robert") or they might refer to paths in the repository
("team1/project1/main.c: Fix crash with --help option.")

That's why, if any path in the changed paths list of a revision is
forbidden to the authenticated user, the *entire* information which
would be provided by 'svn log' is hidden from that user.

I suspect that, in your scenario, SVN denies access to the revision
log based on the above reasoning.
Received on 2016-05-30 12:57:56 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.