Change default rule to "deny".

The old behavior can be restored by setting 'hooks.acldefault = allow'
in Git configuration.

* gitaclhook: Document hooks.acldefault.
* lib/GitACL.pm (default_rule): New sub.
* lib/GitACL/File.pm (check_acl): Use default_rule.
Fix incorrect reference to project_name.
* lib/GitACL/LDAP.pm (check_acl): Use default_rule.

3 files changed, 19 insertions, 6 deletions

diff --git a/lib/GitACL.pm b/lib/GitACL.pm
index f1f792a..9cd381d 100644
--- a/lib/GitACL.pm
+++ b/lib/GitACL.pm
@@ -68,12 +68,26 @@ sub allow($$) {
 		  "$self->{project_name}:$self->{user_name}:$opstr{$self->{op}}:$self->{ref}:$self->{old}:$self->{new}",
 		  $loc);
     $self->debug(1, "allow $loc");
     exit 0;
 }
 
+sub default_rule($) {
+    my $self = shift;
+    my $def = GitACL::git_value('config', 'hooks.acldefault');
+    my $msg = "default rule";
+    if (defined($def)) {
+        if ($def eq "allow") {
+            $self->allow($msg);
+        } elsif ($def ne "deny") {
+            $msg .= " (warning: hooks.acldefault has invalid value)";
+        }
+    }
+    $self->deny($msg);
+}
+
 sub info($$) {
     my ($self, $msg) = @_;
     $self->logmsg("INFO", $msg);
     print STDERR "info: $msg\n" if $self->{debug};
 }
 
@@ -206,13 +220,12 @@ sub new {
     if (defined($httpdusr) and $obj->{user_name} eq $httpdusr) {
 	$obj->deny("need authenticated user") unless $ENV{AUTH_TYPE};
 	$obj->{user_name} = $ENV{REMOTE_USER};
     }
 
     $obj->{project_name} = get_project_name($obj->{git_dir});
-
     $obj->deny("need a ref name") unless defined($args{ref});
     $obj->deny("bogus ref $args{ref}") unless $args{ref} =~ s,^refs/,,;
     $obj->{ref} = $args{ref};
 
     $obj->deny("bad old value $args{old}")
 	unless $args{old} =~ /^[a-z0-9]{40}$/;
diff --git a/lib/GitACL/File.pm b/lib/GitACL/File.pm
index 8842ffd..efabfd4 100644
--- a/lib/GitACL/File.pm
+++ b/lib/GitACL/File.pm
@@ -1,8 +1,8 @@
 # This file is part of gitaclhook -*- perl -*-
-# Copyright (C) 2013 Sergey Poznyakoff <gray@gnu.org>
+# Copyright (C) 2013, 2014 Sergey Poznyakoff <gray@gnu.org>
 #
 # Gitaclhook is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation; either version 3, or (at your option)
 # any later version.
 #
@@ -21,13 +21,13 @@ sub check_acl {
     my $self = shift;
     my $fd;
     my $line = 0;
     my @ret;
     
     my $filename = GitACL::git_value('config', 'hooks.aclfile');
-    $self->allow("no ACL configured for ".$self->project_name)
+    $self->allow("no ACL configured for ".$self->{project_name})
 	unless defined($filename);
 
     open($fd, "<", $filename)
 	or $self->deny("cannot open configuration file: $!");
     while (<$fd>) {
 	++$line;
@@ -49,10 +49,10 @@ sub check_acl {
 	} else {
 	    $res[0]->($self, "$filename:$line");
 	}
 	exit(127);
     }
     close($fd);
-    $self->allow("default rule");
+    $self->default_rule;
 }
 
 1;
diff --git a/lib/GitACL/LDAP.pm b/lib/GitACL/LDAP.pm
index d8d5489..22bfd8d 100644
--- a/lib/GitACL/LDAP.pm
+++ b/lib/GitACL/LDAP.pm
@@ -1,8 +1,8 @@
 # This file is part of gitaclhook -*- perl -*-
-# Copyright (C) 2013 Sergey Poznyakoff <gray@gnu.org>
+# Copyright (C) 2013, 2014 Sergey Poznyakoff <gray@gnu.org>
 #
 # Gitaclhook is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation; either version 3, or (at your option)
 # any later version.
 #
@@ -105,12 +105,12 @@ sub check_acl($) {
 	} else {
 	    $res[0]->($self, $ent->dn);
 	}
 	exit(127);
     }
     $ldap->unbind;
-    $self->allow("default rule");
+    $self->default_rule;
 }
 
 1;