On 23.10.2012 13:48, Stefan Sperling wrote: > On Tue, Oct 23, 2012 at 04:29:51PM +0400, Ivan Zhakov wrote: >>>> I'm working on the patch to list only readable repositories. There is >>>> already TODO comment in the code by cmpilato: >>>> subversion\mod_dav_svn\repos.c:3461 >>>> [[[ >>>> /* ### TODO: We could test for readability of the root >>>> directory of each repository and hide those that >>>> the user can't see. */ >> I'm going to create small patch to just fix this problem and probably >> refactor later in separate commit. > What about users who are allowed to see a subtree of the repository but > not the root? Shouldn't such users be allowed to list the repository?
Maybe. The access grants involved are usually called "directory traversal" and "directory read". Anyone who has any kind of at least read access to any subtree in the repository should implicitly have permission to traverse the tree to the root of that subtree, but not to list directory contents. What you're suggesting means that directory traversal permission on the repository root implies partial, non-inheritable directory read permission on the virtual one level above root. We could treat this as an exception to an otherwise more usual permission model. The trouble I see with modelling this is that, in most access control models, the name of a node is a property of its parent, not of the node; therefore, "read" permission for a directory implies being allowed to list the names of all its children, but not their attributes (e.g., in this case, the HEAD revision of each repository). I'd actually prefer to stick with a more or less standard access control model than invent our own. -- Brane -- Certified & Supported Apache Subversion Downloads: http://www.wandisco.com/subversion/download
