Daniel Shahaf wrote on Sat, Jul 31, 2021 at 00:41:48 +0000: > Now, the delete logic should request a *non* recursive access check if > the thing to be deleted is a plain file in HEAD. > subversion/libsvn_repos/commit.c:delete_entry() > does behave this way — when the .uasset path identifies a non-directory > in HEAD, which is why I asked about that above — but if I'm reading > mod_authz_svn's code correctly, it requires svn_authz_recursive access > on all DELETE calls, regardless of whether a file or a directory is > being requested to be deleted. > > Which is to say, this would seem to be a bug in mod_authz_svn.
The following test results in SKIP/PASS/XFAIL on ra_local/ra_svn/ra_serf, respectively. It's a bit rough — no comments and line length style violation — but putting it here for anyone who may want to take this further. When testing this I commented out the AuthzSVNReposRelativeAccessFile line in davautocheck.sh for reasons discussed in the "1.14.x test failure under USE_HTTPV1=1: ra-test 13 commit_empty_last_change" thread (the secondary problem in that thread, not the one the subject line is about). Cheers, Daniel [[[ Index: subversion/tests/cmdline/authz_tests.py =================================================================== --- subversion/tests/cmdline/authz_tests.py (revision 1891909) +++ subversion/tests/cmdline/authz_tests.py (working copy) @@ -1732,6 +1732,25 @@ def empty_group(sbox): sbox.repo_url) +@XFail(svntest.main.is_ra_type_dav) +@Skip(svntest.main.is_ra_type_file) +def delete_file_with_starstar_rules(sbox): + "delete file with ** rules" + + sbox.build(create_wc = False) + + write_restrictive_svnserve_conf(sbox.repo_dir) + + prefixed_rules = dict() + prefixed_rules[':glob:/**/lorem'] = '* = \n' + prefixed_rules['/'] = '%s = rw\n' % (svntest.main.wc_author,) + prefixed_rules['/A'] = '%s = \n' % (svntest.main.wc_author,) + prefixed_rules['/iota'] = '%s = rw\n' % (svntest.main.wc_author,) + write_authz_file(sbox, None, prefixed_rules = prefixed_rules) + + svntest.main.run_svn(None, 'rm', sbox.repo_url + '/iota', '-m', 'Delete by URL') + + ######################################################################## # Run the tests @@ -1771,6 +1790,7 @@ test_list = [ None, inverted_group_membership, group_member_empty_string, empty_group, + delete_file_with_starstar_rules, ] serial_only = True ]]]