Edgewall Software
Modify

Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#10358 closed defect (duplicate)

Permission Check of Repository Browser fails for some folder names

Reported by: Herbert Thielen <thielen@…> Owned by:
Priority: normal Milestone:
Component: version control/browser Version: 0.12.1
Severity: normal Keywords: security
Cc: Branch:
Release Notes:
API Changes:

Description

I'm going to use path based authorization to restrict access to the subversion repository.

While it's working fine using svn via WebDAV/Apache/mod_auth_svn, the trac browser somtimes ignores the access restrictions depending on the path names.

I want to enable restrictions like this in authz_file syntax:

[somemodule:/trunk/doc/team/private_11w/Special_User.One]
* =
User.One = rw

[somemodule:/trunk/doc/team/private_11w/Special_User.Two]
* =
User.Two = rw

Using svn, this is working fine - User.One only sees the directory Special_User.One in /trunk/doc/team/private_11w, and she does not see Special_User.Two there.

But using the trac repository browser, both users see both directories.

Restricting access to the private_11w at all works, i.e.

[somemodule:/trunk/doc/team/private_11w]
* =
Special.User = rw

hides all subdirectories of private_11w to all users except Special.User.

The same happened after renaming private_11w to privat11w, but renaming it to private helps (of course together with the according changes in the authz_file), e.g.

[somemodule:/trunk/doc/team/private/Special_User.One]
* =
User.One = rw

[somemodule:/trunk/doc/team/private/Special_User.Two]
* =
User.Two = rw

Seems as if there is some restriction on the accepted characters in the path (not the last element).

Could it be related to ticket:9976? The problem described there is a little bit different, but he's also using special characters in path names.

System Information:

  • Ubuntu 10.10
  • Python 2.6.6-5ubuntu1
  • subversion 1.6.12dfsg-1ubuntu1.3
  • python-subversion 1.6.12dfsg-1ubuntu1.3

Attachments (0)

Change History (4)

comment:1 by Remy Blank, 8 years ago

Milestone: next-minor-0.12.x

Looks indeed related to #9976, not due to the special character, but because a copy operation is involved.

comment:2 by Herbert Thielen <thielen@…>, 8 years ago

But note that I tried different names, so several copy operations have been involved:

  • copied to private_11w → didn't work (as far as I remember, I started with private before, but I'm not sure on this)
  • copied from private_11w to private11w → didn't work either
  • copied from private11w to private → worked fine

Hiding the whole directory private_11w was possible, only hiding the subdirectories wasn't …

comment:3 by Christian Boos, 8 years ago

Milestone: next-minor-0.12.x
Resolution: duplicate
Status: newclosed

Confirmed to be a duplicate of #9976 and the 10208-requested-rev-r10910.patch:ticket:10208 patch also fixes this use case.

(the names themselves private, private_ …, didn't matter; it worked as expected for paths which haven't been copied, but for copies the origin path was used for testing permissions hence the unexpected behavior)

comment:4 by Herbert Thielen <thielen@…>, 8 years ago

Thanks for this clarification!

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The ticket will remain with no owner.
The resolution will be deleted. Next status will be 'reopened'.
to as closed The owner will be changed from (none) to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.