Login | Register
My pages Projects Community openCollabNet

Discussions > dev [DISABLED] > svnserver authz rule precedence bug?

subversion
Discussion topic

Back to topic list

svnserver authz rule precedence bug?

Author ycdtosa <ycdtosa at gmail dot com>
Full name ycdtosa <ycdtosa at gmail dot com>
Date 2009-01-21 13:52:56 PST
Message Hi. Im having a problem with svnserve and the authz file,
that seems to me like a *bug* on subversion (svnserve) or the
documentation (subversion book)

svnserver authz rule precedence not working as expected / documented

So, w/o further ado here i sthe simpler version i could figure out.

I wanted to allow read-only access to my repo to an authenticated user,
and read-write access to anyone else, so i got the following files:

* svnserve.conf: (disallow anonymous)

[general]
anon-access = none
auth-access = write
password-db = passwd
authz-db = authz
realm = My First Repository



* passwd: (a few users)

[users]
harry = harryssecret
sally = sallyssecret


* authz: (give harry read access, and rw to everybody else)

[/]
harry = r
$authenticated = rw


And that is it.

The problem is that with this configuration "harry" gets "rw" permisions,
even if to my understanding it shouldn't since on chp6 of the book it reads...

  "Another important fact is that the first matching rule is the one
   which gets applied to a user.
   In the prior example, even though Jane is a member of the
   paint-developers group (which has read/write access),
   the jane = r rule will be discovered and matched before the group
   rule, thus denying Jane write access."

where the "prior example" was this:

  [paint:/projects/paint]
  jane = r
  @paint-developers = rw


Also, googling for a solution i've found this post
   [http://blogs.open.co​llab.net/svn/2007/03​/authz_and_anon_.htm​l]

were C. Michael (Mike) Pilato wrote:
  "But what about your authenticated would-be writers? Ah, therein
lies the rub!
 *There are no authenticated users. * Since anonymous users can
checkout the tree,
  Apache never bothers to query you for authentication credentials.
  And you can't force Subversion to transmit authentication
credentials when Apache hasn't asked for them."

Which *is not the case* since anonymous access already disabled, thus
the svnserver ( not apache here, but i think that is unrelated here )
*does* always require authentification.

This might be a follow up of this thread:
   [http://osdir.com/ml/​version-control.subv​ersion.book/2008-06/​msg00101.html]

but i could not find any follow up

Thanks.

BTW: i'm working with svnserve 1.5.1 (r32289) which is not the latest.

Also, i got a workaround for this, using something like this,
but still the issue about rule precedence is there.

   [/]
   harry = r
   ~harry = rw



And last. Thanks for subversion guys.
--
ycdtosa

« Previous message in topic | 1 of 2 | Next message in topic »

Messages

Show all messages in topic

svnserver authz rule precedence bug? ycdtosa <ycdtosa at gmail dot com> ycdtosa <ycdtosa at gmail dot com> 2009-01-21 13:52:56 PST
     Re: svnserver authz rule precedence bug? mf Martin Furter 2009-01-22 03:34:33 PST
Messages per page: