Permission check of Repository Browser does not work

[anonymous]

Permission check of Repository Browser does not work correctly for me, is it a bug(security incident) or according to the specification?

I am using trac0.12.1 and Subversion in my project. I created a tag for my project, and set the access permissions for it. But the folders under the tag can be accessed with repository browser, even if the user doesn't have permission to access it.

And it worked well when I use svn access.

---

Details:

(1)create a tag named as "REL-1.0"
svn copy http://host/svn/myproject/trunk/ http://host/svn/myproject/tags/REL-1.0


(2)set permissions for the tag
This is part of my svnauth file after I finished setting the permissions:

[myproject:/tags/REL-1.0]
* = r
admin = r

[myproject:/tags/REL-1.0/secret]
* = 
admin = r


(3) login with a user (not admin)
Access the secret folder by repository browser:
http://host/trac/myproject/browser/tags/REL-1.0/secret

The folders and files under "/tags/REL-1.0/secret" are displayed.
I think this is not correct.

(4) Verify by svn access (not admin)
 http://host/svn/myroject/tags/REL-2.0/secret/ 

The access was refused because there is not enough permission.
I think this is correct

---

P.S. I have debugged the source code of "browser.py" and "perm.py". I found when I accessed "/tags/REL-1.0/secret" folder by repository browser, the permission of "/trunk/secret" was checked by the first line of _render_dir method in "browser.py". (node.resource) I hope the permission of "/tags/REL-1.0/secret" should be checked.