Thanks for the review Philip.
>Let me see if I understand: The issue is that when SVNListParentPath >and AuthzSVNAccessFile are configured then GET requests for the parent >path get passed through the authz stuff. This is a bug because the >authz file doesn't control parent path. >Your patch recognises this request and avoids doing the authz check. Yes, exactly. >> + canonicalized_uri = svn_uri_canonicalize(r->uri, r->pool); >> + canonicalized_root_path = svn_uri_canonicalize(conf->base_path, r->pool); >Can conf->base_path be canonicalised once in >create_authz_svn_dir_config rather than for every request? Yes should be, Will update my patch to handle this. >> + if (strcmp(canonicalized_uri, canonicalized_root_path) == 0) >> + { >> + /*Do no access control when root_path(as configured in <Location>) >> and >> + given uri are same.*/ >> + return OK; >> + } >What happens if SVNParentPath is not being used? Is base_path is the >root of the repository? Does this disable authz on the root of that >repository? Perhaps you should be checking dav_svn__get_list_parentpath? I tested this $svn co http://localhost/svn <-- Repo itself instead of parent of repositories. $cd svn $svn ps 'a' 'b' . $svn ci -m "commit" <-This worked as per the authz rules. Anyway will do the directory/file creations to check in case!. >I think this check would make more sense in access_checker rather than >req_check_access. Let me see and do if needed. >The code needs a comment to say why no access control is neccessary in >this case. Will update the comment. With regards Kamesh Jayachandran