On 23 okt 2012, at 14:22, roderich.sch...@gmail.com wrote: > I'm working on the patch to list only readable repositories. There is > already TODO comment in the code by cmpilato: > subversion\mod_dav_svn\repos.c:3461 >
Thanks Ivan for looking into it. Let's see if it is feasible to address. > Please keep in mind that the problem is not restricted to parent-path > collections > of repositories: Since SVN 1.7 any user can "list" the root of a "standalone" > repository even if she has no access grants whatsoever. Of course, the listing > will be empty in this case (but the head revision is leaked). Are you saying that SVN 1.7 always allows browsing the root but it is empty when the user lacks authz? When I follow a link from the parentpath repository list into a repository where I do not have access, I get a 403. Perhaps it is possible to confirm the existence of a repository by specifically requesting the head revision from arbitrary repository names. That is not ideal but requires significantly more determination to figure out than just looking at a list. regards, Thomas Å.
