subversion-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From stef...@apache.org
Subject svn commit: r1775546 - in /subversion/branches/authzperf/subversion: libsvn_repos/authz_info.c tests/libsvn_repos/authz-test.c
Date Wed, 21 Dec 2016 19:36:28 GMT
Author: stefan2
Date: Wed Dec 21 19:36:28 2016
New Revision: 1775546

URL: http://svn.apache.org/viewvc?rev=1775546&view=rev
Log:
On the authzperf branch:
Fix the calculation of global access rights for the cases where explicit
and implicit rights need to be combined.

* subversion/libsvn_repos/authz_info.c
  (resolve_global_rights): If there are no rules for the repository itself,
                           the global rules apply but not the ones for other
                           repos.
  (svn_authz__get_global_rights): Even if we do have per-user rights, they
                                  still overlap with $authenticated rights.

* subversion/tests/libsvn_repos/authz-test.c
  (test_global_rights): Add test cases for per-repos and global rules
                        combination as well as per-user and $authenticated
                        user rule combinations.

Modified:
    subversion/branches/authzperf/subversion/libsvn_repos/authz_info.c
    subversion/branches/authzperf/subversion/tests/libsvn_repos/authz-test.c

Modified: subversion/branches/authzperf/subversion/libsvn_repos/authz_info.c
URL: http://svn.apache.org/viewvc/subversion/branches/authzperf/subversion/libsvn_repos/authz_info.c?rev=1775546&r1=1775545&r2=1775546&view=diff
==============================================================================
--- subversion/branches/authzperf/subversion/libsvn_repos/authz_info.c (original)
+++ subversion/branches/authzperf/subversion/libsvn_repos/authz_info.c Wed Dec 21 19:36:28
2016
@@ -132,8 +132,9 @@ resolve_global_rights(authz_rights_t *ri
         }
     }
 
-  /* Fall-through: return accumulated rights across all repositories. */
-  *rights_p = global_rights->all_repos_rights;
+  /* Fall-through: return the rights defined for "any" repository
+     because this user has no specific rules for this specific REPOS. */
+  *rights_p = global_rights->any_repos_rights;
   return FALSE;
 }
 
@@ -157,12 +158,18 @@ svn_authz__get_global_rights(authz_right
 
       if (user_rights)
         {
-          authz_rights_t rights;
-          if (resolve_global_rights(&rights, user_rights, repos))
+          svn_boolean_t explicit
+            = resolve_global_rights(rights_p, user_rights, repos);
+
+          /* Rights given to _any_ authenticated user may apply, too. */
+          if (authz->has_authn_rights)
             {
-              *rights_p = rights;
-              return TRUE;
+              authz_rights_t authn;
+              explicit |= resolve_global_rights(&authn, &authz->authn_rights,
+                                                repos);
+              combine_rights(rights_p, rights_p, &authn);
             }
+          return explicit;
         }
 
       /* Check if we have explicit rights for authenticated access. */

Modified: subversion/branches/authzperf/subversion/tests/libsvn_repos/authz-test.c
URL: http://svn.apache.org/viewvc/subversion/branches/authzperf/subversion/tests/libsvn_repos/authz-test.c?rev=1775546&r1=1775545&r2=1775546&view=diff
==============================================================================
--- subversion/branches/authzperf/subversion/tests/libsvn_repos/authz-test.c (original)
+++ subversion/branches/authzperf/subversion/tests/libsvn_repos/authz-test.c Wed Dec 21 19:36:28
2016
@@ -374,7 +374,72 @@ test_global_rights(apr_pool_t *pool)
       { NULL }
     };
 
+  const char* authz2 =
+    "[/]"                                                                NL
+    "userA = r"                                                          NL
+    ""                                                                   NL
+    "[/public]"                                                          NL
+    "userB = rw"                                                         NL
+    ""                                                                   NL
+    "[repo:/]"                                                           NL
+    "userA = rw"                                                         NL;
+
+  const global_right_text_case_t test_cases2[] =
+    {
+      /* Everyone may get read access b/c there might be a "/public" path. */
+      {      "",      "", { authz_access_none, authz_access_none  },  TRUE },
+      {      "", "userA", { authz_access_none, authz_access_read  },  TRUE },
+      {      "", "userB", { authz_access_none, authz_access_write },  TRUE },
+      {      "", "userC", { authz_access_none, authz_access_none  },  TRUE },
+
+      /* Two users do even get write access on some paths in "greek".
+       * The root always defaults to n/a due to the default rule. */
+      { "greek",      "", { authz_access_none, authz_access_none  }, FALSE },
+      { "greek", "userA", { authz_access_none, authz_access_read  }, FALSE },
+      { "greek", "userB", { authz_access_none, authz_access_write }, FALSE },
+      { "greek", "userC", { authz_access_none, authz_access_none  }, FALSE },
+
+      { NULL }
+    };
+
+  const char* authz3 =
+    "[/]"                                                                NL
+    "userA = r"                                                          NL
+    ""                                                                   NL
+    "[greek:/public]"                                                    NL
+    "userB = rw"                                                         NL
+    ""                                                                   NL
+    "[repo:/users]"                                                      NL
+    "$authenticated = rw"                                                NL;
+
+  const global_right_text_case_t test_cases3[] =
+    {
+      /* Everyone may get read access b/c there might be a "/public" path. */
+      {      "",      "", { authz_access_none, authz_access_none  },  TRUE },
+      {      "", "userA", { authz_access_none, authz_access_read  },  TRUE },
+      {      "", "userB", { authz_access_none, authz_access_none  },  TRUE },
+      {      "", "userC", { authz_access_none, authz_access_none  },  TRUE },
+
+      /* Two users do even get write access on some paths in "greek".
+       * The root always defaults to n/a due to the default rule. */
+      { "greek",      "", { authz_access_none, authz_access_none  }, FALSE },
+      { "greek", "userA", { authz_access_none, authz_access_read  }, FALSE },
+      { "greek", "userB", { authz_access_none, authz_access_write },  TRUE },
+      { "greek", "userC", { authz_access_none, authz_access_none  }, FALSE },
+
+      /* Two users do even get write access on some paths in "greek".
+       * The root always defaults to n/a due to the default rule. */
+      {  "repo",      "", { authz_access_none, authz_access_none  }, FALSE },
+      {  "repo", "userA", { authz_access_none, authz_access_write },  TRUE },
+      {  "repo", "userB", { authz_access_none, authz_access_write },  TRUE },
+      {  "repo", "userC", { authz_access_none, authz_access_write },  TRUE },
+
+      { NULL }
+    };
+
   SVN_ERR(run_global_rights_tests(authz1, test_cases1, pool));
+  SVN_ERR(run_global_rights_tests(authz2, test_cases2, pool));
+  SVN_ERR(run_global_rights_tests(authz3, test_cases3, pool));
 
   return SVN_NO_ERROR;
 }



Mime
View raw message