Branko Čibej wrote on Thu, 26 Aug 2021 12:49 +00:00:
> On 26.08.2021 14:10, Daniel Shahaf wrote:
> > Branko Čibej wrote on Thu, 26 Aug 2021 08:11 +00:00:
> >> On 25.08.2021 21:01, Mark Phippard wrote:
> >>> Solving with svn auth is a nice idea but I do not see it working
> >>> unless we have a way to authenticate for write access without writing
> >>> something.
> >> There isn't in general, since authz can complicate matters. And there
> >> isn't currently, we don't have server-side support for that. I'm not
> >> even sure we could add a server-side method for this check, since the
> >> check for write access can be done entirely outside of Subversion. "svn
> >> authz write-check $url" sounds plausible until you consider all the
> >> various possible authn/authz checking combinations.
> > I don't see the problem.  What's implausible about writing an RA API
> > that authenticates the client, takes a path and an "is recursive?" bit,
> > and returns the result of «svnauthz accessof» on that path?  That's
> > basically what the revprop edit codepath will do in the default
> > configuration (with the pre- hook not existing).
> 
> That part is not implausible. It would have to be implemented in a way 
> that works when part of the authz processing is done outside of 
> Subversion, e.g., it should use an HTTP method that requires write 
> access.

An HTTPv2 POST, then?

> It's also not backward-compatible, I'd expect "svn auth add" to 
> work reasonably well against older servers.

It's not possible to test write access against older servers, but that
doesn't mean we have to wait until 2.0 to make that possible: it's a new
feature, not an incompatible change.

> I'm not comfortable with the idea of updating the authn cache without 
> contacting the server when we could.

…why?

Cheers,

Daniel

Reply via email to