Author: svn-role Date: Fri Dec 18 04:00:28 2020 New Revision: 1884590 URL: http://svn.apache.org/viewvc?rev=1884590&view=rev Log: Merge r1882326 from trunk:
* r1882326 Fix issue #4762 "authz doesn't combine global and repository rules" Justification: Restore behaviour of SVN 1.9: It is now again possible to override per-path access rules for specific users (and groups) at the global level. Such global rules are overridden by repository-specific rules only if both the user and the path match the repository-specific rule. Votes: +1: stsp, brane, jcorvel Modified: subversion/branches/1.14.x/ (props changed) subversion/branches/1.14.x/STATUS subversion/branches/1.14.x/subversion/libsvn_repos/authz.c subversion/branches/1.14.x/subversion/tests/libsvn_repos/authz-test.c Propchange: subversion/branches/1.14.x/ ------------------------------------------------------------------------------ Merged /subversion/trunk:r1882326 Modified: subversion/branches/1.14.x/STATUS URL: http://svn.apache.org/viewvc/subversion/branches/1.14.x/STATUS?rev=1884590&r1=1884589&r2=1884590&view=diff ============================================================================== --- subversion/branches/1.14.x/STATUS (original) +++ subversion/branches/1.14.x/STATUS Fri Dec 18 04:00:28 2020 @@ -73,16 +73,6 @@ Veto-blocked changes: Approved changes: ================= - * r1882326 - Fix issue #4762 "authz doesn't combine global and repository rules" - Justification: - Restore behaviour of SVN 1.9: It is now again possible to override - per-path access rules for specific users (and groups) at the global - level. Such global rules are overridden by repository-specific rules - only if both the user and the path match the repository-specific rule. - Votes: - +1: stsp, brane, jcorvel - * r1878997, r1879192, r1879474, r1879959 Fix issue #4859, Merge removing a folder with non-inheritable mergeinfo -> E155023: can't set properties: invalid status for updating properties Modified: subversion/branches/1.14.x/subversion/libsvn_repos/authz.c URL: http://svn.apache.org/viewvc/subversion/branches/1.14.x/subversion/libsvn_repos/authz.c?rev=1884590&r1=1884589&r2=1884590&view=diff ============================================================================== --- subversion/branches/1.14.x/subversion/libsvn_repos/authz.c (original) +++ subversion/branches/1.14.x/subversion/libsvn_repos/authz.c Fri Dec 18 04:00:28 2020 @@ -889,9 +889,7 @@ create_user_authz(authz_full_t *authz, /* Use a separate sub-pool to keep memory usage tight. */ apr_pool_t *subpool = svn_pool_create(scratch_pool); - /* Find all ACLs for REPOSITORY. - * Note that repo-specific rules replace global rules, - * even if they don't apply to the current user. */ + /* Find all ACLs for REPOSITORY. */ apr_array_header_t *acls = apr_array_make(subpool, authz->acls->nelts, sizeof(authz_acl_t *)); for (i = 0; i < authz->acls->nelts; ++i) @@ -908,15 +906,36 @@ create_user_authz(authz_full_t *authz, = APR_ARRAY_IDX(acls, acls->nelts - 1, const authz_acl_t *); if (svn_authz__compare_paths(&prev_acl->rule, &acl->rule) == 0) { + svn_boolean_t global_acl_applies; + svn_boolean_t repos_acl_applies; + + /* Previous ACL is a global rule. */ SVN_ERR_ASSERT_NO_RETURN(!strcmp(prev_acl->rule.repos, AUTHZ_ANY_REPOSITORY)); + /* Current ACL is a per-repository rule. */ SVN_ERR_ASSERT_NO_RETURN(strcmp(acl->rule.repos, AUTHZ_ANY_REPOSITORY)); - apr_array_pop(acls); + + global_acl_applies = + svn_authz__get_acl_access(NULL, prev_acl, user, repository); + repos_acl_applies = + svn_authz__get_acl_access(NULL, acl, user, repository); + + /* Prefer rules which apply to both this user and this path + * over rules which apply only to the path. In cases where + * both rules apply to user and path, always prefer the + * repository-specific rule. */ + if (!global_acl_applies || repos_acl_applies) + { + apr_array_pop(acls); + APR_ARRAY_PUSH(acls, const authz_acl_t *) = acl; + } } + else + APR_ARRAY_PUSH(acls, const authz_acl_t *) = acl; } - - APR_ARRAY_PUSH(acls, const authz_acl_t *) = acl; + else + APR_ARRAY_PUSH(acls, const authz_acl_t *) = acl; } } Modified: subversion/branches/1.14.x/subversion/tests/libsvn_repos/authz-test.c URL: http://svn.apache.org/viewvc/subversion/branches/1.14.x/subversion/tests/libsvn_repos/authz-test.c?rev=1884590&r1=1884589&r2=1884590&view=diff ============================================================================== --- subversion/branches/1.14.x/subversion/tests/libsvn_repos/authz-test.c (original) +++ subversion/branches/1.14.x/subversion/tests/libsvn_repos/authz-test.c Fri Dec 18 04:00:28 2020 @@ -522,7 +522,7 @@ static struct svn_test_descriptor_t test "test svn_authz__get_global_rights"), SVN_TEST_PASS2(issue_4741_groups, "issue 4741 groups"), - SVN_TEST_XFAIL2(reposful_reposless_stanzas_inherit, + SVN_TEST_PASS2(reposful_reposless_stanzas_inherit, "[foo:/] inherits [/]"), SVN_TEST_NULL };