Modify ↓
Opened 19 years ago
Closed 19 years ago
#2453 closed defect (duplicate)
authz requires more access then needed
| Reported by: | Owned by: | Jonas Borgström | |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | version control/browser | Version: | 0.9 |
| Severity: | normal | Keywords: | authz |
| Cc: | Branch: | ||
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description
The current authz permission system do not reflect the properties of svn permissions when inheriting rights. Ref. http://svnbook.red-bean.com/en/1.1/ch06s04.html#svn-ch-6-sect-4.4.2
svn authz system checks the most qualified path and when a match is found it uses that right away.
Hence,
[/] * = [repo1:project1] * = r
allows read-only access to project1 in repo repo1 without granting access to anything else.
Setting up trac to use repo1 project1 will give:
Permission denied on /
It appears trac authz requires at least read access to / which is not the way permissions are inherited in subversion.
The work around is to set the trac environment repository_dir to the subpath of project1 (e.g. /my/repos/repo1/project1) and disable authz.
Attachments (0)
Note:
See TracTickets
for help on using tickets.
First of all, you need to use a "/" at the beginning of the paths names in the authz file, so
[repo1:project1]should be[repo1:/project1]. Also, even if you've given access to the "/project1" directory, Trac will deny access to the root folder of the repository since you have not given any users access to it. This behavior is the same as SVN's enforcement of the authz permissions.I think that using the repository subpath is an appropriate choice for what it looks like you're doing. However, I think that the reason you disabled the authz config is due to the problem reported in #2477, so I'm going to close this ticket as a duplicate of that issue.