Branko Čibej wrote on Thu, 26 Aug 2021 12:49 +00:00: > On 26.08.2021 14:10, Daniel Shahaf wrote: > > Branko Čibej wrote on Thu, 26 Aug 2021 08:11 +00:00: > >> On 25.08.2021 21:01, Mark Phippard wrote: > >>> Solving with svn auth is a nice idea but I do not see it working > >>> unless we have a way to authenticate for write access without writing > >>> something. > >> There isn't in general, since authz can complicate matters. And there > >> isn't currently, we don't have server-side support for that. I'm not > >> even sure we could add a server-side method for this check, since the > >> check for write access can be done entirely outside of Subversion. "svn > >> authz write-check $url" sounds plausible until you consider all the > >> various possible authn/authz checking combinations. > > I don't see the problem. What's implausible about writing an RA API > > that authenticates the client, takes a path and an "is recursive?" bit, > > and returns the result of «svnauthz accessof» on that path? That's > > basically what the revprop edit codepath will do in the default > > configuration (with the pre- hook not existing). > > That part is not implausible. It would have to be implemented in a way > that works when part of the authz processing is done outside of > Subversion, e.g., it should use an HTTP method that requires write > access.
An HTTPv2 POST, then? > It's also not backward-compatible, I'd expect "svn auth add" to > work reasonably well against older servers. It's not possible to test write access against older servers, but that doesn't mean we have to wait until 2.0 to make that possible: it's a new feature, not an incompatible change. > I'm not comfortable with the idea of updating the authn cache without > contacting the server when we could. …why? Cheers, Daniel