Edgewall Software

Ticket #7343 (new defect)

Opened 7 months ago

Last modified 2 months ago

Changeset module requires read permission to '/'

Reported by: anonymous Owned by: cboos
Priority: normal Milestone: 1.0
Component: version control/changeset view Version: 0.11
Severity: critical Keywords: svn authz
Cc:

Description

User can not see his own changeset contents if he does not have read permission to root directory of SVN repo (when using authz file).

Exists in 0.10.4 and 0.10-stable

Attachments

Change History

  Changed 7 months ago by Piotr Kuczynski <piotr.kuczynski@…>

  • keywords svn authz added
  • milestone set to 0.10.6

  Changed 6 months ago by anonymous

  • version changed from 0.10-stable to 0.11
  • severity changed from major to critical
  • milestone 0.10.6 deleted

Same behavior in newly released 0.11. You have to have read access to SVN / to see any changeset, even your own.

  Changed 3 months ago by rblank

  • keywords needinfo added

Is this a defect or by design? If we take the analogy of a filesystem, if I don't have read permission to /, I can't access any other resources on that filesystem. Sounds reasonable to me.

This is assuming that by "read permission to root directory of SVN repo", you mean the permissions set-up in the authz file, not filesystem permissions.

Could you please give some precisions on your setup (especially regarding permissions)?

  Changed 3 months ago by anonymous

I'm talking about permissions set by authz file, sorry if it is not clear from my initial post.

if I don't have read permission to /, I can't access any other resources on that filesystem. Sounds reasonable to me.

SVN has different semantics. Otherwise it would be useless in commercial organizations. You can give a user permission to access a particular directory, no need for everybody in company to have access to whole repository recursively from root.

say you have SVN structure like this: 

/
/component1/
/component2/

and authz file like this: 

[repo:/]
* = 
[repo:/component1/]
auser = rw
....

Then in trac if auser goes to /browser - he will get permission error - this is ok (but still may be handled better). If he goes to /browser/component1/ - he will see his sources - ok. But if he wants to diff two revisions in /component1/ - he will get permissions error. Same error happens if he navigates a changeset (containing only changes to /component1/) link from timeline.

The problem is that diff module works on behalf of user and starts recursively from svn root.

follow-up: ↓ 6   Changed 3 months ago by rblank

  • keywords needinfo removed
  • milestone set to 1.0

Ok, I understand what you want to achieve. Does Subversion have these semantics? That is, if you set up SVN with the authz file above, can auser check out /component1?

I'm not too familiar with authz permission settings, so I'll leave this ticket to somebody else.

in reply to: ↑ 5   Changed 2 months ago by anonymous

Replying to rblank:

Ok, I understand what you want to achieve. Does Subversion have these semantics?

yes, it does.

That is, if you set up SVN with the authz file above, can auser check out /component1?

yep

I'm not too familiar with authz permission settings, so I'll leave this ticket to somebody else.

Add/Change #7343 (Changeset module requires read permission to '/')

Author



Change Properties
<Author field>
Action
as new
as The resolution will be set. Next status will be 'closed'
to The owner will change from cboos. Next status will be 'new'
The owner will change from cboos to anonymous. Next status will be 'assigned'
 
Note: See TracTickets for help on using tickets.