Edgewall Software

Opened 4 years ago

Last modified 21 months ago

#12922 new defect

AuthzSourcePolicy doesn't deny viewing changeset on restricted path

Reported by: Ryan J Ollos Owned by:
Priority: normal Milestone: next-stable-1.4.x
Component: version control Version:
Severity: normal Keywords: authzsourcepolicy
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:

Description (last modified by Ryan J Ollos)

There seems to be an inconsistency in AuthzSourcePolicy permission checking for files and changesets. For files, a True or False decision is made based on the authz configuration: tags/trac-1.2.2/trac/versioncontrol/svn_authz.py@:219#L181. However, for changesets the decision will be True or None: tags/trac-1.2.2/trac/versioncontrol/svn_authz.py@:223-225#L181. When the decision is None, other policies are consulted.

Simple example:

user1 = r
user2 = r

Consider a change to /dir1/file1, where no users have coarse-grained FILE_VIEW and CHANGESET_VIEW. user1 can view the file and changeset and user2 cannot. Now grant FILE_VIEW and CHANGESET_VIEW to authenticated. The behavior is the same for user1. However, user2 can view the changeset but cannot view the file.

View of user1:

View of user2:

The issue may have been introduced in r10007.

Attachments (3)

Screen Shot 2017-09-23 at 22.35.26.png (17.3 KB ) - added by Ryan J Ollos 4 years ago.
Screen Shot 2017-09-23 at 22.36.15.png (20.1 KB ) - added by Ryan J Ollos 4 years ago.
Screen Shot 2017-09-23 at 22.38.45.png (35.8 KB ) - added by Ryan J Ollos 4 years ago.

Download all attachments as: .zip

Change History (6)

by Ryan J Ollos, 4 years ago

by Ryan J Ollos, 4 years ago

comment:1 by Ryan J Ollos, 4 years ago

Description: modified (diff)

by Ryan J Ollos, 4 years ago

comment:2 by Ryan J Ollos, 4 years ago

With changes in [881fd1dab/rjollos.git], user2 is denied view of the changeset:

Compare [881fd1dab/rjollos.git] to the behavior prior to r10007: branches/0.12-stable/trac/versioncontrol/svn_authz.py@10006:184-189#L174.

comment:3 by Ryan J Ollos, 21 months ago

Milestone: next-stable-1.2.xnext-stable-1.4.x

Modify Ticket

Change Properties
Set your email in Preferences
as new The ticket will remain with no owner.
The ticket will be disowned.
as The resolution will be set. Next status will be 'closed'.
The owner will be changed from (none) to anonymous. Next status will be 'assigned'.

Add Comment

E-mail address and name can be saved in the Preferences .
Note: See TracTickets for help on using tickets.