Jean-Louis Schricke (mesulog)2019-05-16 11:01 I tried to change the project level to 'private'. It solves the SVN default access rights. But : > site administrator doesn't see the project anymore > other Mesulog members cannot access to the project through the web if they are not member of the project
Jean-Louis Schricke (mesulog)2019-05-16 09:08 What are the default SVN right access for a "private" project ?
Thomas Gerbet (tgerbet)2019-05-16 08:48 No they are not. I can not qualify something that happen after the code is modified as a security issue. The behavior before your changes is the expected one and it fits the permission model. I suggest you either: * change the project access level to private * edit the access file of the repository to override the default permissions **via the dedicated panel in the web UI (or the REST API if you use the SVN plugin) Status changed from Waiting for information to Declined
Jean-Louis Schricke (mesulog)2019-05-15 19:02 Thomas, Are the .SVNAccessFile updated when Tuleap starts ? There is no issue but maybe a missing functionnality. We cannot use the Tuleap default SVN Policy which give read access to any SVN repository: [/] * = r @members = rw Since nine years we modify this default policy at each Tuleap update to : [/] * = @members = rw by modifying the /usr/share/tuleap/src/common/backend/BackendSVN.class.php But I discovered recently that we forgot the make this change during last Tuleap update and I have a security issue on some projects.
Thomas Gerbet (tgerbet)2019-05-15 18:34 SVNAccessFile are regenerated when: * a change is done to it * user groups of the project are changed * project visibility is changed * ... The change is done via system events. There is a script to trigger an update but it only impacts repository coming with "SVN core", not the plugin and it was never meant to be used by human operator. Is there a reproducible issue behind those questions? Status changed from New to Waiting for information