"listing.php" fails to show files in restricted subdirs.

[ams-tschoening]

I'm somewhat sure there's something wrong with the following lines in listing.php:

    $vars['compare_box'] = ''; // Set blank once in case tree view is not enabled.
    return showDirFiles($svnrep, $subs, 0, $limit, $rev, $peg, $listing, 0, $config->treeView);

I'm calling that like the following, which is actually trying to show /tags/DIR1/DIR2:

https://[...]/websvn/Bin/DocBeam/listing.php?repname=DocBeam3&path=%2Ftags%2FDIR1%2FDIR2%2F

The important thing to note is that the executing users is NOT allowed to read /, /tags and /tags/DIR1, really only the last directory. And while WebSVN doesn't show any error, but instead the logs etc. of DIR2, it as well DOES NOT show the files WITHIN that directory.

I think providing 0 as the level in the above call in case of child paths is wrong. Doing so makes the called function showDirFiles always start with /, permission check for that dir correctly fails and no children are ever recognized.

    // TODO: Fix node links to use the path and number of peg revision (if exists)
    // This applies to file detail, log, and RSS -- leave the download link as-is
    for ($n = 0; $n <= $level; $n++)
    {
        $path .= $subs[$n].'/';
    }

$subs is correct when calling that code, but with$level being 0, there's only one iteration.

array(5) {[0]=>string(0) ""[1]=>string(4) "tags"[2]=>string(2) "BB"[3]=>string(9) "LSG BE-BB"[4]=>string(0) "" }

What does work is the following:

    // For directory, the last element in the subs is empty.
    // For file, the last element in the subs is the file name.
    // Therefore, it is always count($subs) - 2
    $limit = count($subs) - 2;
    $level = $limit - 1;
    $level = $level <= 0 ? 0 : $level;
[...]
    $vars['compare_box'] = ''; // Set blank once in case tree view is not enabled.
    return showDirFiles($svnrep, $subs, $level, $limit, $rev, $peg, $listing, 0, $config->treeView);

Would be great if someone else could have a look at this as well, thanks!

[k10blogger]

Following is my test case.
SVN User websvn doesnt have read premission in \ but has read permission in \trunk\.
There is this slight change in $level i had to do for the directories inside the trunk to be visible in the listing. Rest all works as expected.

    // For directory, the last element in the subs is empty.
    // For file, the last element in the subs is the file name.
    // Therefore, it is always count($subs) - 2
    $limit = count($subs) - 2;
    $level = $limit;
    $level = $level <= 0 ? 0 : $level;
[...]
    $vars['compare_box'] = ''; // Set blank once in case tree view is not enabled.
    return showDirFiles($svnrep, $subs, $level, $limit, $rev, $peg, $listing, 0, $config->treeView);

With $level = $limit - 1 nothing was getting displayed in the listing view even with correct permission. I made $level = $limit and things are displayed as intended.

[ams-tschoening]

Were you able to reproduce my described problem with your directories with the original code as well? I wonder if the difference in $level between you and me has something to do with the deepness of the tested directories. Mine are deeper than yours.

[k10blogger]

Yes i am able to reproduce the problem.
I did one more test after reading your comment.

Now my user websvn has no read access on \ and \trunk\ but has a read access on \trunk\folder1. Here too it displays the content in \trunk\folder1 with $level = $limit. Nothing is displayed when $level = $limit - 1.

I have no clue why the difference in $level is there from mine to yours.

[ams-tschoening]

I created a PR simply containing my code and your changes, linking this discussion. When merging, we simply keep the individual commits and in case of problems BLAME allows to have a further look why things have changed.