summaryrefslogtreecommitdiffabout
authorSergey Poznyakoff <gray@gnu.org.ua>2014-04-25 10:07:46 (GMT)
committer Sergey Poznyakoff <gray@gnu.org.ua>2014-04-25 10:07:46 (GMT)
commitba7a48a2b88b33c6c49511fd4422d255264fac98 (patch) (unidiff)
treec82f927e550d44bda4777284838c58eacb6035ea
parent8291c8576d80453ec7c70cdb8d3baf2dd72cfae4 (diff)
downloadgitaclhook-ba7a48a2b88b33c6c49511fd4422d255264fac98.tar.gz
gitaclhook-ba7a48a2b88b33c6c49511fd4422d255264fac98.tar.bz2
Change default rule to "deny".
The old behavior can be restored by setting 'hooks.acldefault = allow' in Git configuration. * gitaclhook: Document hooks.acldefault. * lib/GitACL.pm (default_rule): New sub. * lib/GitACL/File.pm (check_acl): Use default_rule. Fix incorrect reference to project_name. * lib/GitACL/LDAP.pm (check_acl): Use default_rule.
Diffstat (more/less context) (ignore whitespace changes)
-rwxr-xr-xgitaclhook10
-rw-r--r--lib/GitACL.pm15
-rw-r--r--lib/GitACL/File.pm6
-rw-r--r--lib/GitACL/LDAP.pm4
4 files changed, 27 insertions, 8 deletions
diff --git a/gitaclhook b/gitaclhook
index 5d0d79b..f9b5974 100755
--- a/gitaclhook
+++ b/gitaclhook
@@ -1,5 +1,5 @@
1#! /usr/bin/perl 1#! /usr/bin/perl
2# Copyright (C) 2013 Sergey Poznyakoff <gray@gnu.org> 2# Copyright (C) 2013, 2014 Sergey Poznyakoff <gray@gnu.org>
3# 3#
4# This program is free software; you can redistribute it and/or modify 4# This program is free software; you can redistribute it and/or modify
5# it under the terms of the GNU General Public License as published by 5# it under the terms of the GNU General Public License as published by
@@ -142,7 +142,8 @@ which is being updated and the user who requests the update, its I<OP>
142contains the opcode of the requested operation and I<REF> matches the affected 142contains the opcode of the requested operation and I<REF> matches the affected
143ref. Missing I<REF> and/or I<OP> are treated as a match. 143ref. Missing I<REF> and/or I<OP> are treated as a match.
144 144
145If no rule applies, the operation is allowed. 145If no rule applies, the operation is denied. This can be changed by setting
146B<hooks.acldefault = allow> in Git configuration file.
146 147
147For example, assume you have the following ACL file: 148For example, assume you have the following ACL file:
148 149
@@ -246,6 +247,11 @@ be displayed.
246 247
247Suppress diagnostics on stderr. 248Suppress diagnostics on stderr.
248 249
250=item B<hooks.acldefault> B<allow>|B<deny>
251
252Sets the default rule, i.e. the one that will be executed if no other
253rule matched the request. Unless defined, B<deny> is assumed.
254
249=item B<hooks.httpd-user> STRING 255=item B<hooks.httpd-user> STRING
250 256
251Name of the user httpd runs as. Define it if the repository can be 257Name of the user httpd runs as. Define it if the repository can be
diff --git a/lib/GitACL.pm b/lib/GitACL.pm
index f1f792a..9cd381d 100644
--- a/lib/GitACL.pm
+++ b/lib/GitACL.pm
@@ -71,6 +71,20 @@ sub allow($$) {
71 exit 0; 71 exit 0;
72} 72}
73 73
74sub default_rule($) {
75 my $self = shift;
76 my $def = GitACL::git_value('config', 'hooks.acldefault');
77 my $msg = "default rule";
78 if (defined($def)) {
79 if ($def eq "allow") {
80 $self->allow($msg);
81 } elsif ($def ne "deny") {
82 $msg .= " (warning: hooks.acldefault has invalid value)";
83 }
84 }
85 $self->deny($msg);
86}
87
74sub info($$) { 88sub info($$) {
75 my ($self, $msg) = @_; 89 my ($self, $msg) = @_;
76 $self->logmsg("INFO", $msg); 90 $self->logmsg("INFO", $msg);
@@ -209,7 +223,6 @@ sub new {
209 } 223 }
210 224
211 $obj->{project_name} = get_project_name($obj->{git_dir}); 225 $obj->{project_name} = get_project_name($obj->{git_dir});
212
213 $obj->deny("need a ref name") unless defined($args{ref}); 226 $obj->deny("need a ref name") unless defined($args{ref});
214 $obj->deny("bogus ref $args{ref}") unless $args{ref} =~ s,^refs/,,; 227 $obj->deny("bogus ref $args{ref}") unless $args{ref} =~ s,^refs/,,;
215 $obj->{ref} = $args{ref}; 228 $obj->{ref} = $args{ref};
diff --git a/lib/GitACL/File.pm b/lib/GitACL/File.pm
index 8842ffd..efabfd4 100644
--- a/lib/GitACL/File.pm
+++ b/lib/GitACL/File.pm
@@ -1,5 +1,5 @@
1# This file is part of gitaclhook -*- perl -*- 1# This file is part of gitaclhook -*- perl -*-
2# Copyright (C) 2013 Sergey Poznyakoff <gray@gnu.org> 2# Copyright (C) 2013, 2014 Sergey Poznyakoff <gray@gnu.org>
3# 3#
4# Gitaclhook is free software; you can redistribute it and/or modify 4# Gitaclhook is free software; you can redistribute it and/or modify
5# it under the terms of the GNU General Public License as published by 5# it under the terms of the GNU General Public License as published by
@@ -24,7 +24,7 @@ sub check_acl {
24 my @ret; 24 my @ret;
25 25
26 my $filename = GitACL::git_value('config', 'hooks.aclfile'); 26 my $filename = GitACL::git_value('config', 'hooks.aclfile');
27 $self->allow("no ACL configured for ".$self->project_name) 27 $self->allow("no ACL configured for ".$self->{project_name})
28 unless defined($filename); 28 unless defined($filename);
29 29
30 open($fd, "<", $filename) 30 open($fd, "<", $filename)
@@ -52,7 +52,7 @@ sub check_acl {
52 exit(127); 52 exit(127);
53 } 53 }
54 close($fd); 54 close($fd);
55 $self->allow("default rule"); 55 $self->default_rule;
56} 56}
57 57
581; 581;
diff --git a/lib/GitACL/LDAP.pm b/lib/GitACL/LDAP.pm
index d8d5489..22bfd8d 100644
--- a/lib/GitACL/LDAP.pm
+++ b/lib/GitACL/LDAP.pm
@@ -1,5 +1,5 @@
1# This file is part of gitaclhook -*- perl -*- 1# This file is part of gitaclhook -*- perl -*-
2# Copyright (C) 2013 Sergey Poznyakoff <gray@gnu.org> 2# Copyright (C) 2013, 2014 Sergey Poznyakoff <gray@gnu.org>
3# 3#
4# Gitaclhook is free software; you can redistribute it and/or modify 4# Gitaclhook is free software; you can redistribute it and/or modify
5# it under the terms of the GNU General Public License as published by 5# it under the terms of the GNU General Public License as published by
@@ -108,7 +108,7 @@ sub check_acl($) {
108 exit(127); 108 exit(127);
109 } 109 }
110 $ldap->unbind; 110 $ldap->unbind;
111 $self->allow("default rule"); 111 $self->default_rule;
112} 112}
113 113
1141; 1141;

Return to:

Send suggestions and report system problems to the System administrator.