You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by sv...@apache.org on 2022/03/29 04:00:59 UTC
svn commit: r1899336 - in /subversion/branches/1.10.x: ./ STATUS subversion/libsvn_repos/authz.c subversion/tests/libsvn_repos/authz-test.c
Author: svn-role
Date: Tue Mar 29 04:00:59 2022
New Revision: 1899336
URL: http://svn.apache.org/viewvc?rev=1899336&view=rev
Log:
Merge the 1.10.x-issue4762 branch:
* r1835049, r1882326
Fix issue #4762 "authz doesn't combine global and repository rules"
Justification:
Restore behaviour of SVN 1.9: It is now again possible to override
per-path access rules for specific users (and groups) at the global
level. Such global rules are overridden by repository-specific rules
only if both the user and the path match the repository-specific rule.
Branch: ^/subversion/branches/1.10.x-issue4762
Votes:
+1: stsp, jcorvel, markphip
Modified:
subversion/branches/1.10.x/ (props changed)
subversion/branches/1.10.x/STATUS
subversion/branches/1.10.x/subversion/libsvn_repos/authz.c
subversion/branches/1.10.x/subversion/tests/libsvn_repos/authz-test.c
Propchange: subversion/branches/1.10.x/
------------------------------------------------------------------------------
Merged /subversion/trunk:r1835049,1882326
Merged /subversion/branches/1.10.x-issue4762:r1885788-1899335
Modified: subversion/branches/1.10.x/STATUS
URL: http://svn.apache.org/viewvc/subversion/branches/1.10.x/STATUS?rev=1899336&r1=1899335&r2=1899336&view=diff
==============================================================================
--- subversion/branches/1.10.x/STATUS (original)
+++ subversion/branches/1.10.x/STATUS Tue Mar 29 04:00:59 2022
@@ -31,17 +31,6 @@ Veto-blocked changes:
Approved changes:
=================
- * r1835049, r1882326
- Fix issue #4762 "authz doesn't combine global and repository rules"
- Justification:
- Restore behaviour of SVN 1.9: It is now again possible to override
- per-path access rules for specific users (and groups) at the global
- level. Such global rules are overridden by repository-specific rules
- only if both the user and the path match the repository-specific rule.
- Branch: ^/subversion/branches/1.10.x-issue4762
- Votes:
- +1: stsp, jcorvel, markphip
-
* r1875602
Remove incorrect include paths from svn_cv_ruby_includes.
Justification:
Modified: subversion/branches/1.10.x/subversion/libsvn_repos/authz.c
URL: http://svn.apache.org/viewvc/subversion/branches/1.10.x/subversion/libsvn_repos/authz.c?rev=1899336&r1=1899335&r2=1899336&view=diff
==============================================================================
--- subversion/branches/1.10.x/subversion/libsvn_repos/authz.c (original)
+++ subversion/branches/1.10.x/subversion/libsvn_repos/authz.c Tue Mar 29 04:00:59 2022
@@ -914,9 +914,7 @@ create_user_authz(authz_full_t *authz,
/* Use a separate sub-pool to keep memory usage tight. */
apr_pool_t *subpool = svn_pool_create(scratch_pool);
- /* Find all ACLs for REPOSITORY.
- * Note that repo-specific rules replace global rules,
- * even if they don't apply to the current user. */
+ /* Find all ACLs for REPOSITORY. */
apr_array_header_t *acls = apr_array_make(subpool, authz->acls->nelts,
sizeof(authz_acl_t *));
for (i = 0; i < authz->acls->nelts; ++i)
@@ -933,15 +931,36 @@ create_user_authz(authz_full_t *authz,
= APR_ARRAY_IDX(acls, acls->nelts - 1, const authz_acl_t *);
if (svn_authz__compare_paths(&prev_acl->rule, &acl->rule) == 0)
{
+ svn_boolean_t global_acl_applies;
+ svn_boolean_t repos_acl_applies;
+
+ /* Previous ACL is a global rule. */
SVN_ERR_ASSERT_NO_RETURN(!strcmp(prev_acl->rule.repos,
AUTHZ_ANY_REPOSITORY));
+ /* Current ACL is a per-repository rule. */
SVN_ERR_ASSERT_NO_RETURN(strcmp(acl->rule.repos,
AUTHZ_ANY_REPOSITORY));
- apr_array_pop(acls);
+
+ global_acl_applies =
+ svn_authz__get_acl_access(NULL, prev_acl, user, repository);
+ repos_acl_applies =
+ svn_authz__get_acl_access(NULL, acl, user, repository);
+
+ /* Prefer rules which apply to both this user and this path
+ * over rules which apply only to the path. In cases where
+ * both rules apply to user and path, always prefer the
+ * repository-specific rule. */
+ if (!global_acl_applies || repos_acl_applies)
+ {
+ apr_array_pop(acls);
+ APR_ARRAY_PUSH(acls, const authz_acl_t *) = acl;
+ }
}
+ else
+ APR_ARRAY_PUSH(acls, const authz_acl_t *) = acl;
}
-
- APR_ARRAY_PUSH(acls, const authz_acl_t *) = acl;
+ else
+ APR_ARRAY_PUSH(acls, const authz_acl_t *) = acl;
}
}
Modified: subversion/branches/1.10.x/subversion/tests/libsvn_repos/authz-test.c
URL: http://svn.apache.org/viewvc/subversion/branches/1.10.x/subversion/tests/libsvn_repos/authz-test.c?rev=1899336&r1=1899335&r2=1899336&view=diff
==============================================================================
--- subversion/branches/1.10.x/subversion/tests/libsvn_repos/authz-test.c (original)
+++ subversion/branches/1.10.x/subversion/tests/libsvn_repos/authz-test.c Tue Mar 29 04:00:59 2022
@@ -478,6 +478,39 @@ issue_4741_groups(apr_pool_t *pool)
return SVN_NO_ERROR;
}
+static svn_error_t *
+reposful_reposless_stanzas_inherit(apr_pool_t *pool)
+{
+ const char rules[] =
+ "[groups]" NL
+ "company = user1, user2, user3" NL
+ "customer = customer1, customer2" NL
+ "" NL
+ "# company can read-write on everything" NL
+ "[/]" NL
+ "@company = rw" NL
+ "" NL
+ "[project1:/]" NL
+ "@customer = r" NL
+ "" NL
+ "[project2:/]" NL;
+
+ svn_stringbuf_t *buf = svn_stringbuf_create(rules, pool);
+ svn_stream_t *stream = svn_stream_from_stringbuf(buf, pool);
+ svn_authz_t *authz;
+ svn_boolean_t access_granted;
+
+ SVN_ERR(svn_repos_authz_parse(&authz, stream, NULL, pool));
+
+ SVN_ERR(svn_repos_authz_check_access(authz, "project1", "/foo", "user1",
+ svn_authz_write | svn_authz_recursive,
+ &access_granted,
+ pool));
+ SVN_TEST_ASSERT(access_granted == TRUE);
+
+ return SVN_NO_ERROR;
+}
+
static int max_threads = 4;
static struct svn_test_descriptor_t test_funcs[] =
@@ -489,6 +522,8 @@ static struct svn_test_descriptor_t test
"test svn_authz__get_global_rights"),
SVN_TEST_PASS2(issue_4741_groups,
"issue 4741 groups"),
+ SVN_TEST_PASS2(reposful_reposless_stanzas_inherit,
+ "[foo:/] inherits [/]"),
SVN_TEST_NULL
};