On 14 nov 2012, at 11:53, Ivan Zhakov <i...@visualsvn.com> wrote: >>> >>> Confirmed as far as my testing goes (did not test short_circuit). I suggest >>> committing the patch with GET subrequest and potentially change all to >>> HEAD in a separate commit if there is consensus. >> Committed in r1408184. > I doubt about backporting this fix to 1.7.x. > > Pro: > * This is regression from 1.6.x: It was possible to restrict access > to "Collection of Repositories" by controlling access to [/], while > access to individual repositories were controlled by [repoN:/]. This > might not have been by design, bit still a very useful feature. > > * We already ported similar fix to hide unreadable dirs to 1.6.x (r996884) > > Cons: > * Security behavior changes in patches is not good thing from my point view > > > Any opinions?
I think it makes sense to release in 1.8 (no backport). Provides a better opportunity to explain the change. Admins on 1.6 who can not have open access to Collection of Repositories will have to skip 1.7. I can try to draft something for the change notes, next week. /Thomas Å.
