On 10/18/13 12:46 PM, Naumenko, Roman wrote: > But there are still checks (or maybe this is just info log) against > access-file for each path in repository. > Is it something expected or enabled somewhere by default? > > [Fri Oct 18 15:35:52 2013] [info] [client 10.11.11.18] Access granted: > 'user1' REPORT /trunk/very_long_path/Data.manifest > [Fri Oct 18 15:35:52 2013] [debug] > subversion/mod_authz_svn/mod_authz_svn.c(195): [client 10.11.11.18] Path > to authz file is /path_to_access_file/svn_acc > > I mean if a user has access to a repository, why checking all paths > under? Or its just info log about mod_authz_svn processing path > directly, as you said?
The authz access file is only read once per connection. But the checks will be run for each path accessed by the request. Some of the requests over HTTP actually access multiple paths in the repository. For instance a REPORT request might be doing what's referred to as a bulk update, in which case it's asking for details on all the paths under a given path. The update REPORT in this case will include file content for paths under the path. Only the top level path will be in the URI. If you want to disallow access to some paths under that root path of the request it is necessary to check all the paths. Some other operations like COPY and MOVE also touch paths other than the one in the URI for the request since the action requires two paths. So what you're seeing is perfectly normal operation for the short_circuit configuration. You can entirely disable the additional checks mentioned above by setting "SVNPathAuthz off". However, I would not recommend that as it will make some authz rules ineffective. The whole created by this in the update report case can be closed by also setting "SVNAllowBulkUpdate off" but that doesn't help the COPY or MOVE cases. So in general, there's really not a great reason to use the off setting.
