You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@subversion.apache.org by "Daniel Shahaf (Jira)" <ji...@apache.org> on 2021/08/14 12:29:00 UTC

[jira] [Updated] (SVN-4878) DELETE /file requires svn_authz_recursive, fails due to glob rules

     [ https://issues.apache.org/jira/browse/SVN-4878?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Daniel Shahaf updated SVN-4878:
-------------------------------
    Summary: DELETE /file requires svn_authz_recursive, fails due to glob rules  (was: E175013: svn authz Access denied, )

> DELETE /file requires svn_authz_recursive, fails due to glob rules
> ------------------------------------------------------------------
>
>                 Key: SVN-4878
>                 URL: https://issues.apache.org/jira/browse/SVN-4878
>             Project: Subversion
>          Issue Type: Bug
>          Components: mod_authz_svn
>    Affects Versions: 1.12.x, 1.14.1
>         Environment: OS: Debian 9
> SVN: 1.14.1
> Apache/2.4.25 (Debian)  SVN/1.14.1  mod_wsgi/4.5.11  Python/2.7
> svn client:
>  
> {code:java}
> $ svn --version
> svn, version 1.13.0 (r1867053)
>  compiled Nov 5 2019, 06:46:51 on x86_64-apple-darwin19.0.0 
> {code}
> was replicated as well by customer with
> SVN/1.14.1 (x64-microsoft-windows) serf/1.3.9 TortoiseSVN-1.14.1.29085
>            Reporter: Andrei Cusnir
>            Priority: Major
>
>  
> need to have a user that is not allowed to see any paths with Source in it
> and to be allowed to have full access to the files ending in uasset
> while user can add and update any uasset files, however it is not possible to delete such a file 
> described by following authz file
>  
> {code:java}
> [groups]
> r_users = andrei
> [:glob:/]
> * = rw
> [:glob:/**/*.uasset]
> @r_users = rw
> [:glob:/**/Source/**]
> @r_users =
> {code}
>  
> uassets files have no parents and were added from single commit to replicate a customer issue
> example of svn rm command and output
> {noformat}
> $ svn rm https://subversion.assembla.com/svn/andrei-hook-test/trunk/SomeTestProject/Projects/ShooterGame/Content/Mods/OtherProjectName/Assets/Foliage/Trees/StepeeGrass/Grass01/SteppeGrass01.uasset
> svn: E175013: Access to '/svn/andrei-hook-test/!svn/txr/13-f/trunk/SomeTestProject/Projects/ShooterGame/Content/Mods/OtherProjectName/Assets/Foliage/Trees/StepeeGrass/Grass01/SteppeGrass01.uasset' forbidden
> svn: E175013: Your commit message was left in a temporary file:
> svn: E175013: 'svn-commit.7.tmp'{noformat}
> adding Daniel Shahaf comments 
> {noformat}
> The following test results in SKIP/PASS/XFAIL on ra_local/ra_svn/ra_serf,
> respectively.  It's a bit rough — no comments and line length style
> violation — but putting it here for anyone who may want to take this
> further.
> When testing this I commented out the AuthzSVNReposRelativeAccessFile
> line in davautocheck.sh for reasons discussed in the "1.14.x test
> failure under USE_HTTPV1=1: ra-test 13 commit_empty_last_change" thread
> (the secondary problem in that thread, not the one the subject line is
> about).
> Cheers,
> Daniel
> [[[
> Index: subversion/tests/cmdline/authz_tests.py
> ===================================================================
> --- subversion/tests/cmdline/authz_tests.py	(revision 1891909)
> +++ subversion/tests/cmdline/authz_tests.py	(working copy)
> @@ -1732,6 +1732,25 @@ def empty_group(sbox):
>                                       sbox.repo_url)
>  
>  
> +@XFail(svntest.main.is_ra_type_dav)
> +@Skip(svntest.main.is_ra_type_file)
> +def delete_file_with_starstar_rules(sbox):
> +  "delete file with ** rules"
> +
> +  sbox.build(create_wc = False)
> +
> +  write_restrictive_svnserve_conf(sbox.repo_dir)
> +
> +  prefixed_rules = dict()
> +  prefixed_rules[':glob:/**/lorem'] = '* = \n'
> +  prefixed_rules['/'] = '%s = rw\n' % (svntest.main.wc_author,)
> +  prefixed_rules['/A'] = '%s = \n' % (svntest.main.wc_author,)
> +  prefixed_rules['/iota'] = '%s = rw\n' % (svntest.main.wc_author,)
> +  write_authz_file(sbox, None, prefixed_rules = prefixed_rules)
> +
> +  svntest.main.run_svn(None, 'rm', sbox.repo_url + '/iota', '-m', 'Delete by URL')
> +
> +
>  ########################################################################
>  # Run the tests
>  
> @@ -1771,6 +1790,7 @@ test_list = [ None,
>                inverted_group_membership,
>                group_member_empty_string,
>                empty_group,
> +              delete_file_with_starstar_rules,
>               ]
>  serial_only = True
>  
> ]]]{noformat}
> issue described here as well, leaving the thread link for the reference
> [https://lists.apache.org/thread.html/r3100972e80e3e0a2227661950d080dc08eed26447835a390c9c4b762%40%3Cusers.subversion.apache.org%3E]
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)