2010-12-24 04:22:13 +01:00
|
|
|
#!/usr/bin/perl
|
|
|
|
|
|
|
|
use strict;
|
|
|
|
use warnings;
|
|
|
|
|
2011-01-15 16:39:56 +01:00
|
|
|
die "ENV GL_RC not set\n" unless $ENV{GL_RC};
|
|
|
|
die "ENV GL_BINDIR not set\n" unless $ENV{GL_BINDIR};
|
|
|
|
|
2010-12-24 04:22:13 +01:00
|
|
|
unshift @INC, $ENV{GL_BINDIR};
|
|
|
|
require gitolite or die "parse gitolite.pm failed\n";
|
2011-01-15 16:39:56 +01:00
|
|
|
gitolite->import;
|
2010-12-24 04:22:13 +01:00
|
|
|
|
|
|
|
# get the repo name
|
|
|
|
my $repo = shift;
|
|
|
|
$repo =~ s/\.git$//;
|
|
|
|
# IMPORTANT NOTE: to do any of this inside a hook, you should just use
|
|
|
|
# $ENV{GL_REPO}, since it's guaranteed to be set to the right value
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# to do a "level 1" check (repo level -- not branch level), do this:
|
2011-01-15 16:39:56 +01:00
|
|
|
my ($perm, $creator) = check_access($repo);
|
2010-12-24 04:22:13 +01:00
|
|
|
# you can pass in any repo name you wish instead of the active repo
|
|
|
|
|
|
|
|
# the first return value looks like one of these, so you can just check for
|
|
|
|
# the presence of "R" or "W" and be done:
|
|
|
|
# _____R___W_
|
|
|
|
# _____R_____
|
|
|
|
# ___________
|
|
|
|
|
|
|
|
# The second value is "<gitolite>" for a normal repo, an actual username for
|
|
|
|
# a wildrepo, or "<notfound>" for a non-existent repo.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# to do a "level 2" check (branches), do something like this
|
2011-01-15 16:39:56 +01:00
|
|
|
my $ret = check_access($repo, 'refs/heads/foo', 'W', 1);
|
2010-12-24 04:22:13 +01:00
|
|
|
# the 2nd argument must be a *full* refname (i.e., not "master", but
|
|
|
|
# "refs/heads/master"). The 3rd argument is one of W, +, C, or D. The 4th
|
|
|
|
# argument should be any non-false perl value, like 1.
|
|
|
|
|
|
|
|
# the return value may look like this:
|
|
|
|
# refs/.*
|
|
|
|
# or perhaps this, if you were denied
|
|
|
|
# DENIED by fallthru
|
2011-02-21 16:55:43 +01:00
|
|
|
|
|
|
|
# NOTE: do NOT pass "R" as the 3rd argument. It will seem to work because
|
|
|
|
# you're merely testing the permissions in this code, but an *actual* "git
|
|
|
|
# fetch" for even a DENIED ref will succeed if the user has read access to at
|
|
|
|
# least one branch. This is because the information on what ref is being read
|
|
|
|
# is not made available externally in any useful way (the way the "update"
|
|
|
|
# hook gets its arguments when a push happens).
|