Thanks for the review Philip.
>Let me see if I understand: The issue is that when SVNListParentPath
>and AuthzSVNAccessFile are configured then GET requests for the parent
>path get passed through the authz stuff. This is a bug because the
>authz file doesn't control parent path.
>Your patch recognises this request and avoids doing the authz check.
Yes, exactly.
>> + canonicalized_uri = svn_uri_canonicalize(r->uri, r->pool);
>> + canonicalized_root_path = svn_uri_canonicalize(conf->base_path, r->pool);
>Can conf->base_path be canonicalised once in
>create_authz_svn_dir_config rather than for every request?
Yes should be, Will update my patch to handle this.
>> + if (strcmp(canonicalized_uri, canonicalized_root_path) == 0)
>> + {
>> + /*Do no access control when root_path(as configured in <Location>)
>> and
>> + given uri are same.*/
>> + return OK;
>> + }
>What happens if SVNParentPath is not being used? Is base_path is the
>root of the repository? Does this disable authz on the root of that
>repository? Perhaps you should be checking dav_svn__get_list_parentpath?
I tested this
$svn co http://localhost/svn <-- Repo itself instead of parent of repositories.
$cd svn
$svn ps 'a' 'b' .
$svn ci -m "commit" <-This worked as per the authz rules. Anyway will do the
directory/file creations to check in case!.
>I think this check would make more sense in access_checker rather than
>req_check_access.
Let me see and do if needed.
>The code needs a comment to say why no access control is neccessary in
>this case.
Will update the comment.
With regards
Kamesh Jayachandran
