Path-based authorization ignores most specific path

[all-lists]

Hello!

--Summary--

Path-based authorization seems to not work as documented
currently:  The most specific path is *not* used.

Version: server=1.6.17, client=1.8.8 or 1.8.13

Might be a reincarnation of (closed?) Issue 3242:

http://svn.haxx.se/users/archive-2010-01/0124.shtml
http://subversion.tigris.org/issues/show_bug.cgi?id=3242


--Description--

The documentation says (for all versions since 1.5):

The thing to remember is that the most specific path always
matches first.

http://svnbook.red-bean.com/en/1.5/svn.serverconfig.pathbasedauthz.html

I'm having the following lines concerning repository `proj` in my
`access` file.  As you can see, `/pub` should be publicly readable,
but nothing else:

Current access file contains:

[groups]
proj_staff = [...]
proj_other = [...]

[proj:/]
@proj_staff = rw
@proj_other = r

[proj:/pub]
* = r
@proj_staff = rw

[proj:/eval]
@proj_other = 

[proj:/group]
@proj_other = rw

[proj:/group/foo]
foo = rw

The problem is:

  * I can *NOT* `svn co https://...proj/pub` without authentification.

As expected, though:

  * I can read `https://...proj/pub` in a web browser without
authentification.

  * I can `svn export https://...proj/pub` without authentification.

This has been working until recently, probably with SVN 1.4.x on the
server side.  Unfortunately I do not administer the subversion/apache
setup, so I do not have access to other config files.

Is ist a known issue?  How can I fix it?

Thanks for helping!

Regards
Stefan

-- 
http://stefan-klinger.de  o/X
  /\/
\

Re: Path-based authorization ignores most specific path

[all-lists]

On 2015-Apr-13, Bert Huijben wrote with possible deletions:
> > 
> > Current access file contains:
> > 
> > [groups]
> > proj_staff = [...]
> > proj_other = [...]
> > 
> > [proj:/]
> > @proj_staff = rw
> > @proj_other = r
> > 
> > [proj:/pub]
> > * = r
> > @proj_staff = rw
> > 
> > [proj:/eval]
> > @proj_other =
> > 
> > [proj:/group]
> > @proj_other = rw
> > 
> > [proj:/group/foo]
> > foo = rw
> > 
> > The problem is:
> > 
> >   * I can *NOT* `svn co https://...proj/pub` without authentification.
> 
> For the record: I don't see anything in your config that you setup anonymous
> authentication. Even with a * = r line some operations might still need to
> know who you are, even though everybody has access to read.

What would that be?  Something like this?

[sq_15s:/pub]
$anonymous = r
@proj_staff = rw

As I read the docs, this would not apply to the authenticated users,
i.e., it would be less users than thos addressed with `*`.  Anyways, I
have tried this, andit makes no difference.

> For 1.8.x a checkout will retrieve inherited properties from all ancestor
> directories of where you checked out (see release notes for the new features
> that provides), so I'm not surprised that the client asks for your
> credentials if you only provide access to those other directories if a user
> is authenticated. (Not being able to read the properties is not an issue...
> But the client will try to read them, which will produce a prompt)

Well, there are no properties set on `/`, so there's nothing to
inherit.

What is the right way to make only a subdirectory accessible to the
world via `svn co`?  Exporting works, so what's the point to disallow
checkout?

> If there is something on the server side related to your issue everybody
> will recommend you to upgrade to a supported Subversion release first.

Yes, well, I'm not the admin of the service I have to use.  Sorry
about that.




-- 
http://stefan-klinger.de  o/X
  /\/
\