diff options
| author |   Sitaram Chamarty <sitaram@sita-lt.atc.tcs.com> | 2009-11-16 19:25:34 +0530 |
|---|---|---|
| committer | Sitaram Chamarty <sitaram@sita-lt.atc.tcs.com> | 2009-11-17 09:21:45 +0530 |
| commit | e8270e9b7272458b17f8ed2ccb76ec05f5c45b2a (patch) | |
| tree | 5161a18cb07956ce34909c25b81d7339cd3967c0 | |
| parent | all src: (please read full commit message): allow local admin-defined hooks (diff) | |
| download | gitolite-gentoo-e8270e9b7272458b17f8ed2ccb76ec05f5c45b2a.tar.gz gitolite-gentoo-e8270e9b7272458b17f8ed2ccb76ec05f5c45b2a.tar.bz2 gitolite-gentoo-e8270e9b7272458b17f8ed2ccb76ec05f5c45b2a.zip | |
update hook: 'sub check_ref' to prepare for rebel+v0.90
factor out the code to check $ref into a sub; will help rebel+, which
wants (horrors!) to restrict based on PATH names too!
| -rwxr-xr-x | src/hooks/update | 56 |
1 files changed, 39 insertions, 17 deletions
diff --git a/src/hooks/update b/src/hooks/update index cdf7402..a11b9ad 100755 --- a/src/hooks/update +++ b/src/hooks/update @@ -64,22 +64,44 @@ push @allowed_refs, { "$PERSONAL/$ENV{GL_USER}/" => "RW+" } if $PERSONAL; # we want specific perms to override @all, so they come first push @allowed_refs, @ { $repos{$ENV{GL_REPO}}{$ENV{GL_USER}} || [] }; push @allowed_refs, @ { $repos{$ENV{GL_REPO}}{'@all'} || [] }; -for my $ar (@allowed_refs) -{ - my $refex = (keys %$ar)[0]; - # refex? sure -- a regex to match a ref against :) - next unless $ref =~ /$refex/; - if ($ar->{$refex} =~ /\Q$perm/) - { - # if log failure isn't important enough to block pushes, get rid of - # all the error checking - open my $log_fh, ">>", $ENV{GL_LOG} - or die "open log failed: $!\n"; - print $log_fh "$ENV{GL_TS} $perm\t" . - substr($oldsha, 0, 14) . "\t" . substr($newsha, 0, 14) . - "\t$ENV{GL_REPO}\t$ref\t$ENV{GL_USER}\t$refex\n"; - close $log_fh or die "close log failed: $!\n"; - exit 0; + +my $refex = ''; + +# check one ref +sub check_ref { + + # normally, the $ref will be whatever ref the commit is trying to update + # (like refs/heads/master or whatever). At least one of the refexes that + # pertain to this user must match this ref **and** the corresponding + # permission must also match the action (W or +) being attempted. If none + # of them match, the access is denied. + + # Notice that the function DIES!!! Any future changes that require more + # work to be done *after* this, even on failure, can start using return + # codes etc., but for now we're happy to just die. + + my $ref = shift; + for my $ar (@allowed_refs) { + $refex = (keys %$ar)[0]; + # refex? sure -- a regex to match a ref against :) + next unless $ref =~ /$refex/; + + # as far as *this* ref is concerned we're ok + return if ($ar->{$refex} =~ /\Q$perm/); } + die "$perm $ref $ENV{GL_REPO} $ENV{GL_USER} DENIED by fallthru\n"; } -die "$perm $ref $ENV{GL_REPO} $ENV{GL_USER} DENIED by fallthru\n"; + +# and in this version, we have only one ref to check +check_ref($ref); + +# if we returned at all, the check succeeded, so we log the action and exit 0 + +# logging note: if log failure isn't important enough to block pushes, get rid +# of all the error checking +open my $log_fh, ">>", $ENV{GL_LOG} or die "open log failed: $!\n"; +print $log_fh "$ENV{GL_TS} $perm\t" . + substr($oldsha, 0, 14) . "\t" . substr($newsha, 0, 14) . + "\t$ENV{GL_REPO}\t$ref\t$ENV{GL_USER}\t$refex\n"; +close $log_fh or die "close log failed: $!\n"; +exit 0; |