On 26.08.2021 14:10, Daniel Shahaf wrote:
Branko Čibej wrote on Thu, 26 Aug 2021 08:11 +00:00:
On 25.08.2021 21:01, Mark Phippard wrote:
Solving with svn auth is a nice idea but I do not see it working
unless we have a way to authenticate for write access without writing
something.
There isn't in general, since authz can complicate matters. And there
isn't currently, we don't have server-side support for that. I'm not
even sure we could add a server-side method for this check, since the
check for write access can be done entirely outside of Subversion. "svn
authz write-check $url" sounds plausible until you consider all the
various possible authn/authz checking combinations.
I don't see the problem. What's implausible about writing an RA API
that authenticates the client, takes a path and an "is recursive?" bit,
and returns the result of «svnauthz accessof» on that path? That's
basically what the revprop edit codepath will do in the default
configuration (with the pre- hook not existing).
That part is not implausible. It would have to be implemented in a way
that works when part of the authz processing is done outside of
Subversion, e.g., it should use an HTTP method that requires write
access. It's also not backward-compatible, I'd expect "svn auth add" to
work reasonably well against older servers.
I'm not comfortable with the idea of updating the authn cache without
contacting the server when we could.
-- Brane
