Change default rule to "deny".

The old behavior can be restored by setting 'hooks.acldefault = allow' in Git configuration. * gitaclhook: Document hooks.acldefault. * lib/GitACL.pm (default_rule): New sub. * lib/GitACL/File.pm (check_acl): Use default_rule. Fix incorrect reference to project_name. * lib/GitACL/LDAP.pm (check_acl): Use default_rule.
author: Sergey Poznyakoff <gray@gnu.org.ua> 2014-04-25 13:07:46 +0300
committer: Sergey Poznyakoff <gray@gnu.org.ua> 2014-04-25 13:07:46 +0300
commit: ba7a48a2b88b33c6c49511fd4422d255264fac98 (patch)
tree: c82f927e550d44bda4777284838c58eacb6035ea
parent: 8291c8576d80453ec7c70cdb8d3baf2dd72cfae4 (diff)
download: gitaclhook-ba7a48a2b88b33c6c49511fd4422d255264fac98.tar.gz
gitaclhook-ba7a48a2b88b33c6c49511fd4422d255264fac98.tar.bz2
4 files changed, 27 insertions, 8 deletions
diff --git a/gitaclhook b/gitaclhook
index 5d0d79b..f9b5974 100755
--- a/gitaclhook
+++ b/gitaclhook
@@ -1,3 +1,3 @@
 #! /usr/bin/perl
-# Copyright (C) 2013 Sergey Poznyakoff <gray@gnu.org>
+# Copyright (C) 2013, 2014 Sergey Poznyakoff <gray@gnu.org>
 #
@@ -144,3 +144,4 @@ ref.  Missing I<REF> and/or I<OP> are treated as a match.
-If no rule applies, the operation is allowed.
+If no rule applies, the operation is denied.  This can be changed by setting
+B<hooks.acldefault = allow> in Git configuration file.
@@ -248,2 +249,7 @@ Suppress diagnostics on stderr.
+=item B<hooks.acldefault> B<allow>|B<deny>
+Sets the default rule, i.e. the one that will be executed if no other
+rule matched the request.  Unless defined, B<deny> is assumed.
+    
 =item B<hooks.httpd-user> STRING
diff --git a/lib/GitACL.pm b/lib/GitACL.pm
index f1f792a..9cd381d 100644
--- a/lib/GitACL.pm
+++ b/lib/GitACL.pm
@@ -73,2 +73,16 @@ sub allow($$) {
+sub default_rule($) {
+    my $self = shift;
+    my $def = GitACL::git_value('config', 'hooks.acldefault');
+    my $msg = "default rule";
+    if (defined($def)) {
+        if ($def eq "allow") {
+            $self->allow($msg);
+        } elsif ($def ne "deny") {
+            $msg .= " (warning: hooks.acldefault has invalid value)";
+        }
+    }
+    $self->deny($msg);
+}
 sub info($$) {
@@ -211,3 +225,2 @@ sub new {
    $obj->{project_name} = get_project_name($obj->{git_dir});
    $obj->deny("need a ref name") unless defined($args{ref});
diff --git a/lib/GitACL/File.pm b/lib/GitACL/File.pm
index 8842ffd..efabfd4 100644
--- a/lib/GitACL/File.pm
+++ b/lib/GitACL/File.pm
@@ -1,3 +1,3 @@
 # This file is part of gitaclhook -*- perl -*-
-# Copyright (C) 2013 Sergey Poznyakoff <gray@gnu.org>
+# Copyright (C) 2013, 2014 Sergey Poznyakoff <gray@gnu.org>
 #
@@ -26,3 +26,3 @@ sub check_acl {
    my $filename = GitACL::git_value('config', 'hooks.aclfile');
-    $self->allow("no ACL configured for ".$self->project_name)
+    $self->allow("no ACL configured for ".$self->{project_name})
        unless defined($filename);
@@ -54,3 +54,3 @@ sub check_acl {
    close($fd);
-    $self->allow("default rule");
+    $self->default_rule;
 }
diff --git a/lib/GitACL/LDAP.pm b/lib/GitACL/LDAP.pm
index d8d5489..22bfd8d 100644
--- a/lib/GitACL/LDAP.pm
+++ b/lib/GitACL/LDAP.pm
@@ -1,3 +1,3 @@
 # This file is part of gitaclhook -*- perl -*-
-# Copyright (C) 2013 Sergey Poznyakoff <gray@gnu.org>
+# Copyright (C) 2013, 2014 Sergey Poznyakoff <gray@gnu.org>
 #
@@ -110,3 +110,3 @@ sub check_acl($) {
    $ldap->unbind;
-    $self->allow("default rule");
+    $self->default_rule;
 }
author	Sergey Poznyakoff <gray@gnu.org.ua>	2014-04-25 13:07:46 +0300
committer	Sergey Poznyakoff <gray@gnu.org.ua>	2014-04-25 13:07:46 +0300
commit	ba7a48a2b88b33c6c49511fd4422d255264fac98 (patch)
tree	c82f927e550d44bda4777284838c58eacb6035ea
parent	8291c8576d80453ec7c70cdb8d3baf2dd72cfae4 (diff)
download	gitaclhook-ba7a48a2b88b33c6c49511fd4422d255264fac98.tar.gz gitaclhook-ba7a48a2b88b33c6c49511fd4422d255264fac98.tar.bz2