diff options
-rwxr-xr-x | gitaclhook | 10 | ||||
-rw-r--r-- | lib/GitACL.pm | 15 | ||||
-rw-r--r-- | lib/GitACL/File.pm | 6 | ||||
-rw-r--r-- | lib/GitACL/LDAP.pm | 4 |
4 files changed, 27 insertions, 8 deletions
@@ -1,5 +1,5 @@ #! /usr/bin/perl -# Copyright (C) 2013 Sergey Poznyakoff <gray@gnu.org> +# Copyright (C) 2013, 2014 Sergey Poznyakoff <gray@gnu.org> # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -142,7 +142,8 @@ which is being updated and the user who requests the update, its I<OP> contains the opcode of the requested operation and I<REF> matches the affected ref. Missing I<REF> and/or I<OP> are treated as a match. -If no rule applies, the operation is allowed. +If no rule applies, the operation is denied. This can be changed by setting +B<hooks.acldefault = allow> in Git configuration file. For example, assume you have the following ACL file: @@ -246,6 +247,11 @@ be displayed. Suppress diagnostics on stderr. +=item B<hooks.acldefault> B<allow>|B<deny> + +Sets the default rule, i.e. the one that will be executed if no other +rule matched the request. Unless defined, B<deny> is assumed. + =item B<hooks.httpd-user> STRING Name of the user httpd runs as. Define it if the repository can be diff --git a/lib/GitACL.pm b/lib/GitACL.pm index f1f792a..9cd381d 100644 --- a/lib/GitACL.pm +++ b/lib/GitACL.pm @@ -71,6 +71,20 @@ sub allow($$) { exit 0; } +sub default_rule($) { + my $self = shift; + my $def = GitACL::git_value('config', 'hooks.acldefault'); + my $msg = "default rule"; + if (defined($def)) { + if ($def eq "allow") { + $self->allow($msg); + } elsif ($def ne "deny") { + $msg .= " (warning: hooks.acldefault has invalid value)"; + } + } + $self->deny($msg); +} + sub info($$) { my ($self, $msg) = @_; $self->logmsg("INFO", $msg); @@ -209,7 +223,6 @@ sub new { } $obj->{project_name} = get_project_name($obj->{git_dir}); - $obj->deny("need a ref name") unless defined($args{ref}); $obj->deny("bogus ref $args{ref}") unless $args{ref} =~ s,^refs/,,; $obj->{ref} = $args{ref}; diff --git a/lib/GitACL/File.pm b/lib/GitACL/File.pm index 8842ffd..efabfd4 100644 --- a/lib/GitACL/File.pm +++ b/lib/GitACL/File.pm @@ -1,5 +1,5 @@ # This file is part of gitaclhook -*- perl -*- -# Copyright (C) 2013 Sergey Poznyakoff <gray@gnu.org> +# Copyright (C) 2013, 2014 Sergey Poznyakoff <gray@gnu.org> # # Gitaclhook is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -24,7 +24,7 @@ sub check_acl { my @ret; my $filename = GitACL::git_value('config', 'hooks.aclfile'); - $self->allow("no ACL configured for ".$self->project_name) + $self->allow("no ACL configured for ".$self->{project_name}) unless defined($filename); open($fd, "<", $filename) @@ -52,7 +52,7 @@ sub check_acl { exit(127); } close($fd); - $self->allow("default rule"); + $self->default_rule; } 1; diff --git a/lib/GitACL/LDAP.pm b/lib/GitACL/LDAP.pm index d8d5489..22bfd8d 100644 --- a/lib/GitACL/LDAP.pm +++ b/lib/GitACL/LDAP.pm @@ -1,5 +1,5 @@ # This file is part of gitaclhook -*- perl -*- -# Copyright (C) 2013 Sergey Poznyakoff <gray@gnu.org> +# Copyright (C) 2013, 2014 Sergey Poznyakoff <gray@gnu.org> # # Gitaclhook is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -108,7 +108,7 @@ sub check_acl($) { exit(127); } $ldap->unbind; - $self->allow("default rule"); + $self->default_rule; } 1; |