4 files changed, 27 insertions, 8 deletions

diff --git a/gitaclhook b/gitaclhook
index 5d0d79b..f9b5974 100755
--- a/gitaclhook
+++ b/gitaclhook
@@ -1,5 +1,5 @@
 #! /usr/bin/perl
-# Copyright (C) 2013 Sergey Poznyakoff <gray@gnu.org>
+# Copyright (C) 2013, 2014 Sergey Poznyakoff <gray@gnu.org>
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -142,7 +142,8 @@ which is being updated and the user who requests the update, its I<OP>
 contains the opcode of the requested operation and I<REF> matches the affected
 ref.  Missing I<REF> and/or I<OP> are treated as a match.
 
-If no rule applies, the operation is allowed.
+If no rule applies, the operation is denied.  This can be changed by setting
+B<hooks.acldefault = allow> in Git configuration file.
 
 For example, assume you have the following ACL file:
 
@@ -246,6 +247,11 @@ be displayed.
 
 Suppress diagnostics on stderr.
 
+=item B<hooks.acldefault> B<allow>|B<deny>
+
+Sets the default rule, i.e. the one that will be executed if no other
+rule matched the request.  Unless defined, B<deny> is assumed.
+    
 =item B<hooks.httpd-user> STRING
 
 Name of the user httpd runs as.  Define it if the repository can be
diff --git a/lib/GitACL.pm b/lib/GitACL.pm
index f1f792a..9cd381d 100644
--- a/lib/GitACL.pm
+++ b/lib/GitACL.pm
@@ -71,6 +71,20 @@ sub allow($$) {
     exit 0;
 }
 
+sub default_rule($) {
+    my $self = shift;
+    my $def = GitACL::git_value('config', 'hooks.acldefault');
+    my $msg = "default rule";
+    if (defined($def)) {
+        if ($def eq "allow") {
+            $self->allow($msg);
+        } elsif ($def ne "deny") {
+            $msg .= " (warning: hooks.acldefault has invalid value)";
+        }
+    }
+    $self->deny($msg);
+}
+
 sub info($$) {
     my ($self, $msg) = @_;
     $self->logmsg("INFO", $msg);
@@ -209,7 +223,6 @@ sub new {
     }
 
     $obj->{project_name} = get_project_name($obj->{git_dir});
-
     $obj->deny("need a ref name") unless defined($args{ref});
     $obj->deny("bogus ref $args{ref}") unless $args{ref} =~ s,^refs/,,;
     $obj->{ref} = $args{ref};
diff --git a/lib/GitACL/File.pm b/lib/GitACL/File.pm
index 8842ffd..efabfd4 100644
--- a/lib/GitACL/File.pm
+++ b/lib/GitACL/File.pm
@@ -1,5 +1,5 @@
 # This file is part of gitaclhook -*- perl -*-
-# Copyright (C) 2013 Sergey Poznyakoff <gray@gnu.org>
+# Copyright (C) 2013, 2014 Sergey Poznyakoff <gray@gnu.org>
 #
 # Gitaclhook is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -24,7 +24,7 @@ sub check_acl {
     my @ret;
     
     my $filename = GitACL::git_value('config', 'hooks.aclfile');
-    $self->allow("no ACL configured for ".$self->project_name)
+    $self->allow("no ACL configured for ".$self->{project_name})
         unless defined($filename);
 
     open($fd, "<", $filename)
@@ -52,7 +52,7 @@ sub check_acl {
         exit(127);
     }
     close($fd);
-    $self->allow("default rule");
+    $self->default_rule;
 }
 
 1;
diff --git a/lib/GitACL/LDAP.pm b/lib/GitACL/LDAP.pm
index d8d5489..22bfd8d 100644
--- a/lib/GitACL/LDAP.pm
+++ b/lib/GitACL/LDAP.pm
@@ -1,5 +1,5 @@
 # This file is part of gitaclhook -*- perl -*-
-# Copyright (C) 2013 Sergey Poznyakoff <gray@gnu.org>
+# Copyright (C) 2013, 2014 Sergey Poznyakoff <gray@gnu.org>
 #
 # Gitaclhook is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -108,7 +108,7 @@ sub check_acl($) {
         exit(127);
     }
     $ldap->unbind;
-    $self->allow("default rule");
+    $self->default_rule;
 }
 
 1;