You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by sv...@apache.org on 2020/12/18 04:00:28 UTC
svn commit: r1884590 - in /subversion/branches/1.14.x: ./ STATUS
subversion/libsvn_repos/authz.c subversion/tests/libsvn_repos/authz-test.c
Author: svn-role
Date: Fri Dec 18 04:00:28 2020
New Revision: 1884590
URL: http://svn.apache.org/viewvc?rev=1884590&view=rev
Log:
Merge r1882326 from trunk:
* r1882326
Fix issue #4762 "authz doesn't combine global and repository rules"
Justification:
Restore behaviour of SVN 1.9: It is now again possible to override
per-path access rules for specific users (and groups) at the global
level. Such global rules are overridden by repository-specific rules
only if both the user and the path match the repository-specific rule.
Votes:
+1: stsp, brane, jcorvel
Modified:
subversion/branches/1.14.x/ (props changed)
subversion/branches/1.14.x/STATUS
subversion/branches/1.14.x/subversion/libsvn_repos/authz.c
subversion/branches/1.14.x/subversion/tests/libsvn_repos/authz-test.c
Propchange: subversion/branches/1.14.x/
------------------------------------------------------------------------------
Merged /subversion/trunk:r1882326
Modified: subversion/branches/1.14.x/STATUS
URL: http://svn.apache.org/viewvc/subversion/branches/1.14.x/STATUS?rev=1884590&r1=1884589&r2=1884590&view=diff
==============================================================================
--- subversion/branches/1.14.x/STATUS (original)
+++ subversion/branches/1.14.x/STATUS Fri Dec 18 04:00:28 2020
@@ -73,16 +73,6 @@ Veto-blocked changes:
Approved changes:
=================
- * r1882326
- Fix issue #4762 "authz doesn't combine global and repository rules"
- Justification:
- Restore behaviour of SVN 1.9: It is now again possible to override
- per-path access rules for specific users (and groups) at the global
- level. Such global rules are overridden by repository-specific rules
- only if both the user and the path match the repository-specific rule.
- Votes:
- +1: stsp, brane, jcorvel
-
* r1878997, r1879192, r1879474, r1879959
Fix issue #4859, Merge removing a folder with non-inheritable mergeinfo
-> E155023: can't set properties: invalid status for updating properties
Modified: subversion/branches/1.14.x/subversion/libsvn_repos/authz.c
URL: http://svn.apache.org/viewvc/subversion/branches/1.14.x/subversion/libsvn_repos/authz.c?rev=1884590&r1=1884589&r2=1884590&view=diff
==============================================================================
--- subversion/branches/1.14.x/subversion/libsvn_repos/authz.c (original)
+++ subversion/branches/1.14.x/subversion/libsvn_repos/authz.c Fri Dec 18 04:00:28 2020
@@ -889,9 +889,7 @@ create_user_authz(authz_full_t *authz,
/* Use a separate sub-pool to keep memory usage tight. */
apr_pool_t *subpool = svn_pool_create(scratch_pool);
- /* Find all ACLs for REPOSITORY.
- * Note that repo-specific rules replace global rules,
- * even if they don't apply to the current user. */
+ /* Find all ACLs for REPOSITORY. */
apr_array_header_t *acls = apr_array_make(subpool, authz->acls->nelts,
sizeof(authz_acl_t *));
for (i = 0; i < authz->acls->nelts; ++i)
@@ -908,15 +906,36 @@ create_user_authz(authz_full_t *authz,
= APR_ARRAY_IDX(acls, acls->nelts - 1, const authz_acl_t *);
if (svn_authz__compare_paths(&prev_acl->rule, &acl->rule) == 0)
{
+ svn_boolean_t global_acl_applies;
+ svn_boolean_t repos_acl_applies;
+
+ /* Previous ACL is a global rule. */
SVN_ERR_ASSERT_NO_RETURN(!strcmp(prev_acl->rule.repos,
AUTHZ_ANY_REPOSITORY));
+ /* Current ACL is a per-repository rule. */
SVN_ERR_ASSERT_NO_RETURN(strcmp(acl->rule.repos,
AUTHZ_ANY_REPOSITORY));
- apr_array_pop(acls);
+
+ global_acl_applies =
+ svn_authz__get_acl_access(NULL, prev_acl, user, repository);
+ repos_acl_applies =
+ svn_authz__get_acl_access(NULL, acl, user, repository);
+
+ /* Prefer rules which apply to both this user and this path
+ * over rules which apply only to the path. In cases where
+ * both rules apply to user and path, always prefer the
+ * repository-specific rule. */
+ if (!global_acl_applies || repos_acl_applies)
+ {
+ apr_array_pop(acls);
+ APR_ARRAY_PUSH(acls, const authz_acl_t *) = acl;
+ }
}
+ else
+ APR_ARRAY_PUSH(acls, const authz_acl_t *) = acl;
}
-
- APR_ARRAY_PUSH(acls, const authz_acl_t *) = acl;
+ else
+ APR_ARRAY_PUSH(acls, const authz_acl_t *) = acl;
}
}
Modified: subversion/branches/1.14.x/subversion/tests/libsvn_repos/authz-test.c
URL: http://svn.apache.org/viewvc/subversion/branches/1.14.x/subversion/tests/libsvn_repos/authz-test.c?rev=1884590&r1=1884589&r2=1884590&view=diff
==============================================================================
--- subversion/branches/1.14.x/subversion/tests/libsvn_repos/authz-test.c (original)
+++ subversion/branches/1.14.x/subversion/tests/libsvn_repos/authz-test.c Fri Dec 18 04:00:28 2020
@@ -522,7 +522,7 @@ static struct svn_test_descriptor_t test
"test svn_authz__get_global_rights"),
SVN_TEST_PASS2(issue_4741_groups,
"issue 4741 groups"),
- SVN_TEST_XFAIL2(reposful_reposless_stanzas_inherit,
+ SVN_TEST_PASS2(reposful_reposless_stanzas_inherit,
"[foo:/] inherits [/]"),
SVN_TEST_NULL
};