You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by John Conrad <co...@gmail.com> on 2011/02/09 02:18:51 UTC
View Log Problems When Using Path Based Authentication
I have a repository that I have configured to use path based permissions
via svnserve (additional config info below). Any user that has
authenticated has full read/write access to the entire repository while
anonymous users have read only access to a single path in the repository,
all other paths forbidden. These permissions appear to be working
correctly, everyone can update, check out, and commit what is expected.
The PROBLEM occurs when I try to view the log of a path inside the
restricted area accessible only to authenticated users. With authentication
cache cleared, executing an 'svn ls' correctly challenges you for
credentials while 'svn log' produces the "svn: Item is not readable" error
message. This makes it impossible to retrieve a log for these areas of
the repository. These are the specific commands I have used:
svn ls svn://myserver/restricted <-- works
svn log svn://myserver/restricted <-- fails
If the authentication cache is populated when I execute 'svn log' I get the
same error. If I manually specify the username and password for the
'svn log' command I get the same error.
My configuration files are listed below and I am running SVN 1.6.12 with
a fsfs database. Anyone have any idea what is going on here? Do I have
something misconfigured? I feel like I may have found a bug. Thanks in
advance.
-- John
svnserve.conf:
[general]
password-db = passwd
authz-db = authz
authz:
[/]
$anonymous =
$authenticated = rw
[/api]
$anonymous = r
Re: View Log Problems When Using Path Based Authentication
Posted by Alexei Colin <al...@yahoo.com>.
In reply to (not sure if my In-Reply-To header hackery will work
-- I wasn't a subscriber at the time):
> From: John Conrad <co...@gmail.com>
> Date: Tue, 8 Feb 2011 19:18:51 -0600
The problem described by John Conrad a few days ago (see msg below)
has surfaced for me as well. My setup is similar to his, and the
described symptom is also observed:
$ svn log --username=<user_without_r_access> svn://<restricted_path>
svn: Item is not readable
$ svn ls --username=<user_without_r_access> svn://<restricted_path>
svn: Authorization failed
The difference in the output pointed out by John seems to be
the root of the problem. I stumbled upon a different symptom of
the problem: svn log *silently* truncates the metadata that
refers to paths to which the user does not have read access.
See bottom for an example.
While it makes sense for metadata to be restricted -- the client
probably should notify the (utterly confused) user that it is
truncating the metadata in the 'log' output. As it currently stands,
the output of log on a revision with metadata pointing to a
restricted path looks exactly as if there were no metadata in it at
all. Not good. Comments on whether this lack of notification in the
'log' output is a bug or missing functionality would be appreciated.
Brief example [formatting modified for conciseness]:
$ svn --version
svn, version 1.6.12 (r955767) compiled Jan 14 2011, 22:18:51
# Same verison for svnadmin and svnserve
** This is the true history of path "/allowed" and is how the user
with access to all paths sees it:
$ svn log -v --username=fulluser svn://localhost/testrepo/allowed
r6 | acolin | 2011-02-15 23:14:28 -0500 (Tue, 15 Feb 2011) | 2 lines
Changed paths:
A /allowed/dest (from /denied/source:5)
Copying from denied path to allowed path.
------------------------------------------------------------------------
r1 | acolin | 2011-02-15 23:10:17 -0500 (Tue, 15 Feb 2011) | 1 line
Changed paths:
A /allowed
Created a directory to which access will be allowed.
------------------------------------------------------------------------
** This is how a user without read access to path "/denied/source"
sees _the same_ history for path "/allowed" [note the silent lack of
metadata in revision r6 -- neither copy/move metadata, nor commit msg]:
$ svn log -v --username=restricteduser svn://localhost/testrepo/allowed
r6 | acolin | 2011-02-15 23:14:28 -0500 (Tue, 15 Feb 2011) | 1 line
Changed paths:
A /allowed/dest
------------------------------------------------------------------------
r1 | acolin | 2011-02-15 23:10:17 -0500 (Tue, 15 Feb 2011) | 1 line
Changed paths:
A /allowed
Created a directory to which access will be allowed.
------------------------------------------------------------------------
Original message (surprisingly the only thing I found on the net
referencing this problem was only a few days old):
> From: John Conrad <co...@gmail.com>
> Date: Tue, 8 Feb 2011 19:18:51 -0600
> Subject: View Log Problems When Using Path Based Authentication
>
> I have a repository that I have configured to use path based permissions
> via svnserve (additional config info below). Any user that has
> authenticated has full read/write access to the entire repository while
> anonymous users have read only access to a single path in the repository,
> all other paths forbidden. These permissions appear to be working
> correctly, everyone can update, check out, and commit what is expected.
>
> The PROBLEM occurs when I try to view the log of a path inside the
> restricted area accessible only to authenticated users. With
authentication
> cache cleared, executing an 'svn ls' correctly challenges you for
> credentials while 'svn log' produces the "svn: Item is not readable"
error
> message. This makes it impossible to retrieve a log for these areas of
> the repository. These are the specific commands I have used:
>
> svn ls svn://myserver/restricted <-- works
> svn log svn://myserver/restricted <-- fails
>
> If the authentication cache is populated when I execute 'svn log' I
get the
> same error. If I manually specify the username and password for the
> 'svn log' command I get the same error.
>
> My configuration files are listed below and I am running SVN 1.6.12 with
> a fsfs database. Anyone have any idea what is going on here? Do I have
> something misconfigured? I feel like I may have found a bug. Thanks in
> advance.
>
> -- John
>
> svnserve.conf:
>
> [general]
> password-db = passwd
> authz-db = authz
>
> authz:
>
> [/]
> $anonymous =
> $authenticated = rw
>
> [/api]
> $anonymous = r
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com