Opened 7 years ago
Last modified 7 months ago
#12922 new defect
AuthzSourcePolicy doesn't deny viewing changeset on restricted path — at Initial Version
| Reported by: | Ryan J Ollos | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | next-stable-1.6.x |
| Component: | version control | Version: | |
| Severity: | normal | Keywords: | authzsourcepolicy |
| Cc: | Branch: | ||
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description
There seems to be an inconsistency in AuthzSourcePolicy permission checking for files and changesets. For files, a True or False decision is made based on the authz configuration: tags/trac-1.2.2/trac/versioncontrol/svn_authz.py@:219#L181. However, for changesets the decision will be True or None: tags/trac-1.2.2/trac/versioncontrol/svn_authz.py@:223-225#L181. When the decision is None, other policies are consulted.
Simple example:
[/dir1] user1 = r [/dir2] user2 = r
Consider a change to /dir1/file1, where no users have coarse-grained FILE_VIEW and CHANGESET_VIEW. user1 can view the file and changeset and user2 cannot. Now grant FILE_VIEW and CHANGESET_VIEW to authenticated. The behavior is the same for user1. However, user2 can view the changeset but cannot view the file.
The issue may have been introduced in r10007.
Change History (2)
by , 7 years ago
| Attachment: | Screen Shot 2017-09-23 at 22.35.26.png added |
|---|
by , 7 years ago
| Attachment: | Screen Shot 2017-09-23 at 22.36.15.png added |
|---|
