You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@subversion.apache.org by Martin Wulffeld <ma...@wulffeld.org> on 2004/10/04 09:57:26 UTC

[PATCH] Ability to specify groups in groups (second time)

Hi

This is the second time I submit this patch. First time was a diff
against 1.0.8 since collab.net was down. This diff is against HEAD.

* subversion/mod_authz_svn/mod_authz_svn.c
  (group_contains_user): Made it call itself if it encounters a
  group. An extra argument 'level' added to guard against excessive
  recursion.
  All callers changed.

This is about the access control file specified via the
AuthzSVNAccessFile directive in httpd.conf. The [groups] part does not
allow one to specify other groups so it gets rather cumbersome to deal
with lots of users who are in different groups. For example:

[groups]
permstaff = a, b, c, d, e
consultants = f, m
everyone = @permstaff, @consultants

-- 
 Martin
 http://www.wulffeld.org/
 http://www.allornone.org/

Re: [PATCH] Ability to specify groups in groups (second time)

Posted by Erik Huelsmann <eh...@gmail.com>.

Hi Martin,

> This is the second time I submit this patch. First time was a diff
> against 1.0.8 since collab.net was down. This diff is against HEAD.
> 
> * subversion/mod_authz_svn/mod_authz_svn.c
>   (group_contains_user): Made it call itself if it encounters a
>   group. An extra argument 'level' added to guard against excessive
>   recursion.
>   All callers changed.
> 
> This is about the access control file specified via the
> AuthzSVNAccessFile directive in httpd.conf. The [groups] part does not
> allow one to specify other groups so it gets rather cumbersome to deal
> with lots of users who are in different groups. For example:

I know the patch has already been filed and I'm rather late with my
reaction, but could you change the patch to detect circular reference
instead of posing the somewhat arbitrary limit of 10 on group nesting?


Thanks!

bye,

Erik.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: [PATCH] Ability to specify groups in groups (second time)

Posted by Martin Wulffeld <ma...@wulffeld.org>.

Quoting Michael W Thelen (thelenm@cs.utah.edu):
> >This is about the access control file specified via the
> >AuthzSVNAccessFile directive in httpd.conf. The [groups] part does not
> >allow one to specify other groups so it gets rather cumbersome to deal
> >with lots of users who are in different groups. For example:
> >
> >[groups]
> >permstaff = a, b, c, d, e
> >consultants = f, m
> >everyone = @permstaff, @consultants
> 
> Thanks for the patch.  I've filed it as issue #2085:
> http://subversion.tigris.org/issues/show_bug.cgi?id=2085

Hi

Here's a new revision of this patch based on Erik Huelsmann
wish. Sorry for not following up on his post. I accidently deleted
it.

The detection simply adds the groups it encounters to a hash
'checked_groups'. If a group exist in the hash it doesn't
recurse. This version does not change callers which the
previous patch did.

Revised log message (suggestion):

* subversion/mod_authz_svn/mod_authz_svn.c
  (group_contains_user, group_contains_user_check): Split up into two
  functions. A hash for the circular dependency check is created in
  group_contains_user() and passed to group_contains_user_check(). The
  _check() function now does the actual check and recurses if it
  encounters a group. 

-- 
 Martin
 http://www.wulffeld.org/
 http://www.allornone.org/

Re: [PATCH] Ability to specify groups in groups (second time)

Posted by Michael W Thelen <th...@cs.utah.edu>.

Martin Wulffeld wrote:
> * subversion/mod_authz_svn/mod_authz_svn.c
>   (group_contains_user): Made it call itself if it encounters a
>   group. An extra argument 'level' added to guard against excessive
>   recursion.
>   All callers changed.
> 
> This is about the access control file specified via the
> AuthzSVNAccessFile directive in httpd.conf. The [groups] part does not
> allow one to specify other groups so it gets rather cumbersome to deal
> with lots of users who are in different groups. For example:
> 
> [groups]
> permstaff = a, b, c, d, e
> consultants = f, m
> everyone = @permstaff, @consultants

Thanks for the patch.  I've filed it as issue #2085:
http://subversion.tigris.org/issues/show_bug.cgi?id=2085

-- 
Michael W Thelen
It is a mistake to think you can solve any major problems just with
potatoes.       -- Douglas Adams