Context Navigation

Modify ↓

#10358 closed defect (duplicate)

Permission Check of Repository Browser fails for some folder names

Reported by:	Herbert Thielen <thielen@…>	Owned by:
Priority:	normal	Milestone:
Component:	version control/browser	Version:	0.12.1
Severity:	normal	Keywords:	security
Cc:		Branch:
Release Notes:
API Changes:
Internal Changes:

Description

I'm going to use path based authorization to restrict access to the subversion repository.

While it's working fine using svn via WebDAV/Apache/mod_auth_svn, the trac browser somtimes ignores the access restrictions depending on the path names.

I want to enable restrictions like this in authz_file syntax:

[somemodule:/trunk/doc/team/private_11w/Special_User.One]
* =
User.One = rw

[somemodule:/trunk/doc/team/private_11w/Special_User.Two]
* =
User.Two = rw

Using svn, this is working fine - User.One only sees the directory Special_User.One in /trunk/doc/team/private_11w, and she does not see Special_User.Two there.

But using the trac repository browser, both users see both directories.

Restricting access to the private_11w at all works, i.e.

[somemodule:/trunk/doc/team/private_11w]
* =
Special.User = rw

hides all subdirectories of private_11w to all users except Special.User.

The same happened after renaming private_11w to privat11w, but renaming it to private helps (of course together with the according changes in the authz_file), e.g.

[somemodule:/trunk/doc/team/private/Special_User.One]
* =
User.One = rw

[somemodule:/trunk/doc/team/private/Special_User.Two]
* =
User.Two = rw

Seems as if there is some restriction on the accepted characters in the path (not the last element).

Could it be related to ticket:9976? The problem described there is a little bit different, but he's also using special characters in path names.

System Information:

Ubuntu 10.10
Python 2.6.6-5ubuntu1
subversion 1.6.12dfsg-1ubuntu1.3
python-subversion 1.6.12dfsg-1ubuntu1.3

Attachments (0)

Change History (4)

comment:1 by Remy Blank, 13 years ago

Milestone:	→ next-minor-0.12.x

Looks indeed related to #9976, not due to the special character, but because a copy operation is involved.

comment:2 by Herbert Thielen <thielen@…>, 13 years ago

But note that I tried different names, so several copy operations have been involved:

copied to private_11w → didn't work (as far as I remember, I started with private before, but I'm not sure on this)
copied from private_11w to private11w → didn't work either
copied from private11w to private → worked fine

Hiding the whole directory private_11w was possible, only hiding the subdirectories wasn't …

comment:3 by Christian Boos, 13 years ago

Milestone:	next-minor-0.12.x
Resolution:	→ duplicate
Status:	new → closed

Confirmed to be a duplicate of #9976 and the 10208-requested-rev-r10910.patch:ticket:10208 patch also fixes this use case.

(the names themselves private, private_ …, didn't matter; it worked as expected for paths which haven't been copied, but for copies the origin path was used for testing permissions hence the unexpected behavior)

comment:4 by Herbert Thielen <thielen@…>, 13 years ago

Thanks for this clarification!

Modify Ticket

Change Properties

Summary:
Description:	I'm going to use path based authorization to restrict access to the subversion repository. While it's working fine using `svn` via WebDAV/Apache/mod_auth_svn, the trac browser somtimes ignores the access restrictions depending on the path names. I want to enable restrictions like this in `authz_file` syntax: {{{ [somemodule:/trunk/doc/team/private_11w/Special_User.One] * = User.One = rw [somemodule:/trunk/doc/team/private_11w/Special_User.Two] * = User.Two = rw }}} Using `svn`, this is working fine - User.One only sees the directory `Special_User.One` in `/trunk/doc/team/private_11w`, and she does not see `Special_User.Two` there. But using the trac repository browser, both users see both directories. Restricting access to the `private_11w` at all works, i.e. {{{ [somemodule:/trunk/doc/team/private_11w] * = Special.User = rw }}} hides all subdirectories of `private_11w` to all users except Special.User. The same happened after renaming `private_11w` to `privat11w`, but renaming it to `private` helps (of course together with the according changes in the `authz_file`), e.g. {{{ [somemodule:/trunk/doc/team/private/Special_User.One] * = User.One = rw [somemodule:/trunk/doc/team/private/Special_User.Two] * = User.Two = rw }}} Seems as if there is some restriction on the accepted characters in the path (not the last element). Could it be related to ticket:9976? The problem described there is a little bit different, but he's also using special characters in path names. System Information: * Ubuntu 10.10 * Python 2.6.6-5ubuntu1 * subversion 1.6.12dfsg-1ubuntu1.3 * python-subversion 1.6.12dfsg-1ubuntu1.3 You may use WikiFormatting here.
Type:		Priority:
Milestone:		Component:
Version:		Severity:
Keywords:		Cc:	Set your email in Preferences
Branch:
Release Notes:
API Changes:
Internal Changes:

Action

leave as closed The ticket will remain with no owner.

reopen The resolution will be deleted. Next status will be 'reopened'.

change ownership to The owner will be changed from (none) to the specified user.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences .

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: