Issue 179 in svnbook: BUG: path-based authz rule matching description is incorrect

svnbook at googlecode.com svnbook at googlecode.com
Tue Dec 18 10:57:39 CST 2012


Status: New
Owner: cmpil... at gmail.com
Labels: Type-Defect Priority-Medium Milestone-en-1.6

New issue 179 by cmpil... at gmail.com: BUG: path-based authz rule matching  
description is incorrect
http://code.google.com/p/svnbook/issues/detail?id=179

Reported by Mark Cammidge <mark at peralex.com>:

{{{
In the section on path-base authz rules:

http://svnbook.red-bean.com/nightly/en/svn.serverconfig.pathbasedauthz.html

it is written that:

"Another important fact is that the first matching rule is the one which
gets applied to a user. In the prior example, even though Jane is a
member of the paint-developers group (which has read/write access), the
jane = r rule will be discovered and matched before the group rule, thus
denying Jane write access."

This doesn't appear to be correct, on svnserve at least.  I've tried the
given example, and the order appears to have no effect on the rule that
gets applied.

It appears that the least restrictive rule in a section is applied.  So
in the given
example:


[groups]
calc-developers = harry, sally, joe
paint-developers = frank, sally, jane
everyone = harry, sally, joe, frank, sally, jane

[paint:/projects/paint]
jane = r
@paint-developers = rw


User jane gets read and write access, irrespective of the order.  This
was reported in trac bug #108, but the quoted section above that was
introduced as a result does not appear to be correct (for svnserve at
least).

Various other people have been experienced the same thing:

[1]
http://osdir.com/ml/version-control.subversion.book/2008-06/msg00101.html

[2]
http://svn.haxx.se/dev/archive-2009-01/0606.shtml

A reply to [2] above suggests that the order of evaluation of the rules
is random.  That may be, but it looks like the rules are all evaluated
for the particular user, and the most permissive combination for a
particular section is used.

The source code seems to back this up, as it appears to me (and I'm no
expert on the code), that all the allows and denys for a particular user
and in a particular section are ORed together before being used.

Mark
}}}





More information about the svnbook-dev mailing list