Improper handling of scoped repositories in svn AuthzSourcePolicy

[Itamar Ostricher]

The AuthzSourcePolicy component uses the resource.id for matching a repository path in the authz file (trunk/trac/versioncontrol/svn_authz.py?rev=10005#L154​), which is only the relative path from the scope in case of scoped repositories.

As a result, it is not possible to reuse the authz file created for serving the SVN repository, which uses full paths.

This can be fixed, at least for SVN-scoped-repositories, by replacing the mentioned line with:

for p in parent_iter(self.env.get_repository(resource.parent.id).scope + resource.id.strip('/')):

[Remy Blank]

Support for scoped repositories.

[Remy Blank]

Could you please test 9566-scoped-repos-r10006.patch​? It should add support for scoped repositories. It also refactors the permission checking to remove duplicate code.

As CachedRepository already checks for a .scope attribute, I wonder if we shouldn't "standardize" this practice by defining a scope = '/' class attribute in Repository, so that the scope is always present and "empty" by default?

[Itamar Ostricher]

Replying to rblank:

Could you please test 9566-scoped-repos-r10006.patch​? It should add support for scoped repositories. It also refactors the permission checking to remove duplicate code.

Any chance you could generate the patch using svn instead of git? (or alternatively explain how I apply the patch to a svn working copy)

As CachedRepository already checks for a .scope attribute, I wonder if we shouldn't "standardize" this practice by defining a scope = '/' class attribute in Repository, so that the scope is always present and "empty" by default?

+1

[Remy Blank]

Replying to itamaro:

Any chance you could generate the patch using svn instead of git? (or alternatively explain how I apply the patch to a svn working copy)

You can apply it normally with patch:

cd /path/to/working/copy
patch -p1 <9566-scoped-repos-r10006.patch

You may have to adjust the end-of-lines if you are on Windows (and find a suitable patch.exe).

[Itamar Ostricher]

OK, it wasn't a svn-git issue with applying the patch, it was a branch-issue. I have trunk, and it appears that the patch is against branches/0.12-stable …

Anyway, I tried taking svn_authz.py from the branch (only that module, without touching any other one) and then applying the patch, which caused an exception on every request, similar to:

Traceback (most recent call last):
  ...
  File "c:\var\trac\trac-trunk\trac\versioncontrol\svn_authz.py", line 148, in check_permission
    if (resource.realm, action) in self._handled_perms:
AttributeError: 'NoneType' object has no attribute 'realm'

[Remy Blank]

Handle coarse permissions

[Remy Blank]

Right, I forgot to handle coarse permissions. Please try 9566-scoped-repos-2-r10006.patch​.

[Itamar Ostricher]

Replying to rblank:

Right, I forgot to handle coarse permissions. Please try 9566-scoped-repos-2-r10006.patch​.

That seems to do the trick. This works for me now.

Thanks!

[Remy Blank]

Thanks for testing. Patch applied in [10007].

That leaves the question of formalizing the scope, something like 9566-formal-scope-r10007.patch​. All tests pass.

[Remy Blank]

Formalize the repository scope.

[Remy Blank]

9566-formal-scope-r10007.patch​ applied in [10056].