# 
# patch "ChangeLog"
#  from [7c81492d87920b0ba7c60928c77b74902776a9cd]
#    to [d816eaad5f1f762d0611791411a21e7a0a14b90a]
# 
# patch "netsync.cc"
#  from [e9786aaaad7990675f952101b544f35fd168df4c]
#    to [cebe0aa43271d815df89c6012d070881c4f589a6]
# 
--- ChangeLog
+++ ChangeLog
@@ -1,5 +1,13 @@
 2005-07-07  Nathaniel Smith  <address@hidden>
 
+	* netsync.cc (process_hello_cmd, process_anonymous_cmd) 
+	(process_auth_cmd): Change permission checking -- always build
+	merkle tree (even when a pure sink), send permission denied and
+	abort whenever client tries to read/write a branch they don't have
+	access to.
+
+2005-07-07  Nathaniel Smith  <address@hidden>
+
 	* ChangeLog: fixup formatting.
 
 2005-07-06  Matt Johnston  <address@hidden>
--- netsync.cc
+++ netsync.cc
@@ -124,17 +124,6 @@
 // bytes of 0 during authentication, and a 20-byte random key chosen
 // by the client after authentication (discussed below).
 //
-//---- Pre-v5 packet format ----
-//
-// the protocol is a simple binary command-packet system over tcp; each
-// packet consists of a byte which identifies the protocol version, a byte
-// which identifies the command name inside that version, a size_t sent as
-// a uleb128 indicating the length of the packet, and then that many bytes
-// of payload, and finally 4 bytes of adler32 checksum (in LSB order) over
-// the payload.
-//
-// ---- end pre-v5 packet format ----
-//
 // decoding involves simply buffering until a sufficient number of bytes are
 // received, then advancing the buffer pointer. any time an integrity check
 // (the HMAC) fails, the protocol is assumed to have lost synchronization, and
@@ -1763,6 +1752,8 @@
     this->remote_peer_key_hash = their_key_hash_decoded;
   }
 
+  // clients always include in the synchronization set, every branch that the
+  // user requested
   vector<string> branchnames;
   set<utf8> ok_branches;
   get_branches(app, branchnames);
@@ -1770,7 +1761,7 @@
       i != branchnames.end(); i++)
     {
       if (our_matcher(*i))
-          ok_branches.insert(utf8(*i));
+        ok_branches.insert(utf8(*i));
     }
   rebuild_merkle_trees(app, ok_branches);
 
@@ -1848,17 +1839,15 @@
   for (vector<string>::const_iterator i = branchnames.begin();
       i != branchnames.end(); i++)
     {
-      if (our_matcher(*i) && their_matcher(*i)
-          && app.lua.hook_get_netsync_anonymous_read_permitted(*i))
-        ok_branches.insert(utf8(*i));
+      if (their_matcher(*i))
+        if (our_matcher(*i) && app.lua.hook_get_netsync_anonymous_read_permitted(*i))
+          ok_branches.insert(utf8(*i));
+        else
+          {
+            error((F("anonymous access to branch '%s' denied by server") % *i).str());
+            return true;
+          }
     }
-  if (ok_branches.empty())
-    {
-      W(F("denied anonymous read permission for '%s' excluding '%s'\n")
-        % their_include_pattern % their_exclude_pattern);
-      this->saved_nonce = id("");
-      return false;
-    }
 
   P(F("allowed anonymous read permission for '%s' excluding '%s'\n")
     % their_include_pattern % their_exclude_pattern);
@@ -1934,27 +1923,29 @@
           this->saved_nonce = id("");
           return false;
         }
+    }
 
-      for (vector<string>::const_iterator i = branchnames.begin();
-          i != branchnames.end(); i++)
+  for (vector<string>::const_iterator i = branchnames.begin();
+       i != branchnames.end(); i++)
+    {
+      if (their_matcher(*i))
         {
-          if (our_matcher(*i) && their_matcher(*i)
-              && app.lua.hook_get_netsync_read_permitted(*i, their_id))
+          if (our_matcher(*i) && app.lua.hook_get_netsync_read_permitted(*i, their_id))
             ok_branches.insert(utf8(*i));
+          else
+            {
+              W(F("denied '%s' read permission for '%s' excluding '%s' because of branch '%s'\n") 
+                % their_id % their_include_pattern % their_exclude_pattern % *i);
+              error((F("access to branch '%s' denied by server") % *i).str());
+              return true;
+            }
         }
-      //if we're source_and_sink_role, continue even with no branches readable
-      //ex: serve --db=empty.db
-      if (ok_branches.empty() && their_role == sink_role)
-        {
-          W(F("denied '%s' read permission for '%s' excluding '%s'\n")
-            % their_id % their_include_pattern % their_exclude_pattern);
-          this->saved_nonce = id("");
-          return false;
-        }
+    }
 
-      P(F("allowed '%s' read permission for '%s' excluding '%s'\n")
-        % their_id % their_include_pattern % their_exclude_pattern);
-    }
+  //if we're source_and_sink_role, continue even with no branches readable
+  //ex: serve --db=empty.db
+  P(F("allowed '%s' read permission for '%s' excluding '%s'\n")
+    % their_id % their_include_pattern % their_exclude_pattern);
 
   // client as source, server as sink (writing)
 
@@ -1970,7 +1961,7 @@
 
       if (!app.lua.hook_get_netsync_write_permitted(their_id))
         {
-          W(F("denied '%s' write permission for '%s' excluding '%s' while running as pure source\n")
+          W(F("denied '%s' write permission for '%s' excluding '%s'\n")
             % their_id % their_include_pattern % their_exclude_pattern);
           this->saved_nonce = id("");
           return false;