You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@subversion.apache.org by "Andrei Cusnir (Jira)" <ji...@apache.org> on 2021/08/02 12:28:00 UTC
[jira] [Created] (SVN-4878) E175013: svn authz Access denied,
Andrei Cusnir created SVN-4878:
----------------------------------
Summary: E175013: svn authz Access denied,
Key: SVN-4878
URL: https://issues.apache.org/jira/browse/SVN-4878
Project: Subversion
Issue Type: Bug
Components: mod_authz_svn
Affects Versions: 1.12.x, 1.14.1
Environment: OS: Debian 9
SVN: 1.14.1
Apache/2.4.25 (Debian) SVN/1.14.1 mod_wsgi/4.5.11 Python/2.7
svn client:
{code:java}
$ svn --version
svn, version 1.13.0 (r1867053)
compiled Nov 5 2019, 06:46:51 on x86_64-apple-darwin19.0.0
{code}
was replicated as well by customer with
SVN/1.14.1 (x64-microsoft-windows) serf/1.3.9 TortoiseSVN-1.14.1.29085
Reporter: Andrei Cusnir
need to have a user that is not allowed to see any paths with Source in it
and to be allowed to have full access to the files ending in uasset
while user can add and update any uasset files, however it is not possible to delete such a file
described by following authz file
{code:java}
[groups]
r_users = andrei
[:glob:/]
* = rw
[:glob:/**/*.uasset]
@r_users = rw
[:glob:/**/Source/**]
@r_users =
{code}
uassets files have no parents and were added from single commit to replicate a customer issue
example of svn rm command and output
{noformat}
$ svn rm https://subversion.assembla.com/svn/andrei-hook-test/trunk/SomeTestProject/Projects/ShooterGame/Content/Mods/OtherProjectName/Assets/Foliage/Trees/StepeeGrass/Grass01/SteppeGrass01.uasset
svn: E175013: Access to '/svn/andrei-hook-test/!svn/txr/13-f/trunk/SomeTestProject/Projects/ShooterGame/Content/Mods/OtherProjectName/Assets/Foliage/Trees/StepeeGrass/Grass01/SteppeGrass01.uasset' forbidden
svn: E175013: Your commit message was left in a temporary file:
svn: E175013: 'svn-commit.7.tmp'{noformat}
adding Daniel Shahaf comments
{noformat}
The following test results in SKIP/PASS/XFAIL on ra_local/ra_svn/ra_serf,
respectively. It's a bit rough — no comments and line length style
violation — but putting it here for anyone who may want to take this
further.
When testing this I commented out the AuthzSVNReposRelativeAccessFile
line in davautocheck.sh for reasons discussed in the "1.14.x test
failure under USE_HTTPV1=1: ra-test 13 commit_empty_last_change" thread
(the secondary problem in that thread, not the one the subject line is
about).
Cheers,
Daniel
[[[
Index: subversion/tests/cmdline/authz_tests.py
===================================================================
--- subversion/tests/cmdline/authz_tests.py (revision 1891909)
+++ subversion/tests/cmdline/authz_tests.py (working copy)
@@ -1732,6 +1732,25 @@ def empty_group(sbox):
sbox.repo_url)
+@XFail(svntest.main.is_ra_type_dav)
+@Skip(svntest.main.is_ra_type_file)
+def delete_file_with_starstar_rules(sbox):
+ "delete file with ** rules"
+
+ sbox.build(create_wc = False)
+
+ write_restrictive_svnserve_conf(sbox.repo_dir)
+
+ prefixed_rules = dict()
+ prefixed_rules[':glob:/**/lorem'] = '* = \n'
+ prefixed_rules['/'] = '%s = rw\n' % (svntest.main.wc_author,)
+ prefixed_rules['/A'] = '%s = \n' % (svntest.main.wc_author,)
+ prefixed_rules['/iota'] = '%s = rw\n' % (svntest.main.wc_author,)
+ write_authz_file(sbox, None, prefixed_rules = prefixed_rules)
+
+ svntest.main.run_svn(None, 'rm', sbox.repo_url + '/iota', '-m', 'Delete by URL')
+
+
########################################################################
# Run the tests
@@ -1771,6 +1790,7 @@ test_list = [ None,
inverted_group_membership,
group_member_empty_string,
empty_group,
+ delete_file_with_starstar_rules,
]
serial_only = True
]]]{noformat}
issue described here as well, leaving the thread link for the reference
[https://lists.apache.org/thread.html/r3100972e80e3e0a2227661950d080dc08eed26447835a390c9c4b762%40%3Cusers.subversion.apache.org%3E]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)