Pavel Goran <>

Found Suggested
r1847598 r1847922

r1847598 | brane | 2018-11-27 21:32:21 +0000 (Tue, 27 Nov 2018)

Add a test for the bug reported on dev@ list with subject "authz's inverted
group access rules are only effective for users mentioned in authz".

* subversion/tests/cmdline/
  (inverted_group_membership): New test case (XFail).

Found by: Pavel Goran

r1847922 | brane | 2018-12-01 21:55:11 +0000 (Sat, 01 Dec 2018)

Propagate knowledge about inverted access rule selectors (e.g., ~user,
~@group, ~&alias) to the global level of the parsed authz file structure
and take that information into account during access resolution.

* subversion/libsvn_repos/authz.h
  (authz_full_t): Add members has_neg_rights and neg_rights.
  (authz_acl_t): Add members has_neg_access and neg_access.

* subversion/libsvn_repos/authz_parse.c
  (neg_access_token): "User name" for the global inverted access rights.
  (insert_default_acl): Initialize neg_access and has_neg_access.
  (create_ctor_baton): Initialize the inverted global rights.
  (rules_open_section): Initialize the ALC's inverted access.
  (add_access_entry): Record the inverted rights.
  (expand_acl_callback): Propagate the inverted rights to global scope.

* subversion/libsvn_repos/authz_info.c
  (svn_authz__get_global_rights): When the user is authenticated but
   does not have an explicit entry in the authz file, use the available global
   inverted rights to resolve the user's access.

* subversion/tests/cmdline/
  (inverted_group_membership): Remove XFail decorator.
   Delete the reference to the mail archives, it's in the issue tracker. 

* subversion/tests/cmdline/
  (svnauthz_inverted_selector_test): New test case.

Fixes: SVN-4793
Suggested by: Pavel Goran <inbox-17{_AT_}>