AuthzSourcePolicy doesn't deny viewing changeset on restricted path
|Reported by:||Ryan J Ollos||Owned by:|
Description (last modified by )
There seems to be an inconsistency in
AuthzSourcePolicy permission checking for files and changesets. For files, a
False decision is made based on the authz configuration: tags/trac-1.2.2/trac/versioncontrol/svn_authz.py@:219#L181. However, for changesets the decision will be
None: tags/trac-1.2.2/trac/versioncontrol/svn_authz.py@:223-225#L181. When the decision is
None, other policies are consulted.
[/dir1] user1 = r [/dir2] user2 = r
Consider a change to
/dir1/file1, where no users have coarse-grained
user1 can view the file and changeset and
user2 cannot. Now grant
authenticated. The behavior is the same for
user2 can view the changeset but cannot view the file.
The issue may have been introduced in r10007.