Opened 13 years ago
Last modified 11 years ago
#9976 closed defect
Permission check of Repository Browser does not work — at Initial Version
Reported by: | anonymous | Owned by: | |
---|---|---|---|
Priority: | normal | Milestone: | 0.12.3 |
Component: | version control/browser | Version: | 0.12.1 |
Severity: | normal | Keywords: | svnauthz, authzsourcepolicy |
Cc: | dmitry@… | Branch: | |
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description
Permission check of Repository Browser does not work correctly for me, is it a bug(security incident) or according to the specification?
I am using trac0.12.1 and Subversion in my project. I created a tag for my project, and set the access permissions for it. But the folders under the tag can be accessed with repository browser, even if the user doesn't have permission to access it.
And it worked well when I use svn access.
Details:
(1)create a tag named as "REL-1.0" svn copy http://host/svn/myproject/trunk/ http://host/svn/myproject/tags/REL-1.0 (2)set permissions for the tag This is part of my svnauth file after I finished setting the permissions: [myproject:/tags/REL-1.0] * = r admin = r [myproject:/tags/REL-1.0/secret] * = admin = r (3) login with a user (not admin) Access the secret folder by repository browser: http://host/trac/myproject/browser/tags/REL-1.0/secret The folders and files under "/tags/REL-1.0/secret" are displayed. I think this is not correct. (4) Verify by svn access (not admin) http://host/svn/myroject/tags/REL-2.0/secret/ The access was refused because there is not enough permission. I think this is correct
P.S. I have debugged the source code of "browser.py" and "perm.py". I found when I accessed "/tags/REL-1.0/secret" folder by repository browser, the permission of "/trunk/secret" was checked by the first line of _render_dir method in "browser.py". (node.resource) I hope the permission of "/tags/REL-1.0/secret" should be checked.