On 25.08.2021 21:01, Mark Phippard wrote:
On Wed, Aug 25, 2021 at 3:16 AM Johan Corveleyn <jcor...@gmail.com> wrote:
Is there a way to test whether one has rw access without actually doing
a commit or a revprop edit? It's possible with hooks, of course, but is
it also possible without hooks?
I'm not sure I understand: why would I need to know that the cached
credentials have read-write access?
I think it was a good question. It is hard to predict if a build
process just needs read access or read-write. If it needs the latter
it could complicate the effectiveness of a solution that goes down
this path. For example, imagine a scenario where the server allows
anonymous read access .. it will not even be possible to check
credentials unless you attempt a write operation.
I was never super excited about this change to disallow plain text
passwords but I figured fighting against a security issue is a losing
battle. I personally prefer the suggestion of making it a compile
option to disallow plain text passwords and have them enabled by
default and just turned off in the default configuration. The
alice/eve scenario while valid just does not concern me.
Solving with svn auth is a nice idea but I do not see it working
unless we have a way to authenticate for write access without writing
something.
There isn't in general, since authz can complicate matters. And there
isn't currently, we don't have server-side support for that. I'm not
even sure we could add a server-side method for this check, since the
check for write access can be done entirely outside of Subversion. "svn
authz write-check $url" sounds plausible until you consider all the
various possible authn/authz checking combinations.
-- Brane