With respect, you are Just Plain Wrong(tm). :-) The current behavior is by design. I know -- I helped to design it. Read the authz_policy.txt.
Users are allowed to attach arbitrary, unversioned properties to revisions. Additionally, most revisions also have "standard" revision props (revprops), such as svn:author, svn:date, and svn:log. Access to revprops may be restricted, based on readability of changed-paths. "Based on the readability of changed-paths". We never consider the writability of a revision's changed-paths. Ever. In fact, there is no independent read and write access revision properties at all. When it comes to revprops, if you can read it, you can write it. To understand why, you have to understand why we bothered restricting read access to svn:log at all. We only hide the svn:log property because we reasoned that log messages generally refer to the paths modified in the revision with which they are associated. You know the drill: you modify path /foo/bar, and your log message says, "Changed the logic in /foo/bar to be less fooful and more barful." So our thought was that if a person wasn't allowed to read some path that was changed in a revision, they should also not be able to know that path exists (because the path itself might contain sensitive information[1]. If a person shouldn't know that some path modified in revision R exists, we should then hide the log message for that revision because there's a good chance that the log message refers to the very path we're trying to hide. But as you can see, none of this logic has anything to do with whether the user has *write* access to the changed paths. -- C-Mike [1] There are, of course, places where we *had* to leak some unreadable paths just to get Subversion to work at all. See ``6. KNOWN LEAKAGE OF UNREADABLE PATHS'' in authz_policy.txt. On 07/19/2012 09:02 AM, Kamesh Jayachandran wrote: > This is a bug. This allows editing of log message as long as user has some > write access somewhere in the repository not necessarily on the change paths. > > With regards > Kamesh Jayachandran > > > -----Original Message----- > From: C. Michael Pilato [mailto:[email protected]] > Sent: Thu 7/19/2012 6:21 PM > To: Arwin Arni Nandagopal > Cc: [email protected] > Subject: Re: [BUG] Revprop edits are checked for read access. > > On 07/19/2012 07:29 AM, Arwin wrote: >> Hi All, >> >> I've raised http://subversion.tigris.org/issues/show_bug.cgi?id=4206 . >> >> Here is the Description: >> >> <Description> >> Revision properties are now checked for read access during propedits. This >> is done by making a GET subrequest to each of the changed paths in that >> revision. GETs are always checked for read access only. >> >> This enables anyone with ONLY read access to a path edit the log message for >> a revision that modified that path. >> >> The attached patch special cases these subrequests by checking for write >> access for all GET requests except if they are subrequests of PROPFIND or >> REPORT (in which case they are checked for read access). >> </Description> >> >> Please share your thoughts on this. > > There's no bug here. The behavior you see is be design. See my comments in > the issue you filed. > > -- > C. Michael Pilato <[email protected]> > CollabNet <> www.collab.net <> Enterprise Cloud Development > > > > -- C. Michael Pilato <[email protected]> CollabNet <> www.collab.net <> Enterprise Cloud Development
signature.asc
Description: OpenPGP digital signature
