Details
-
Bug
-
Resolution: Duplicate
-
High
-
None
-
1.2.1
-
None
Description
Say I have a CrowdAuthzSVNAccessFile directive pointing to a file containing:
[/] @users = r @developers = r @administrators = rw @system-administrators = rw
My user is a member of groups 'users', 'developers' and 'administrators'.
In this case, I would expect to have 'rw' access (see below). However the code denies access:
[Thu Mar 27 01:51:23 2008] [debug] CrowdAuthz.pm(270): [client 202.47.1.18] test_administrator is DENIED w access to /WOMBLE/trunk/test.txt
The problem is in Atlassian-Crowd-1.2.1/lib/Atlassian/Crowd.pm in the evaluate_single_path_authz function, where it iterates over the user's groups, and sees if any of the config file lines match:
} else { # then check groups foreach my $group (@$groups) { if(exists $section_hash->{$working_path}{'@'.$group}) { $access_specified = $section_hash->{$working_path}{'@'.$group}; #Test::More::diag("found group[$group] = $access_specified"); } } }
In my case @$groups is ('developers', 'administrators', 'users'). So $access_specified is successively set to 'r', 'rw' and 'r', with the last value 'r' being returned. The function should rather return the 'most permissive' permission encountered ('rw'). (Perhaps a bitset would be a more natural way to represent this? then you could just OR the old value with the new..).
To test the default svn behaviour, I set:
AuthzSVNAccessFile /data/jirastudio/svn/root/conf/authz-noncrowd
with authz-noncrowd containing:
[groups] users=test_administrator developers=test_administrator administrators=test_administrator system-administrators= [/] @users = r @developers = r @administrators = rw @system-administrators = rw
and it worked.
Attachments
Issue Links
- duplicates
-
CWD-923 Apache::CrowdAuthz uses permissions of last group matched in SVN authz file when principal belongs to multiple groups.
- Closed