From c1de05a8a559827bd5f8f2b037c9e680a9c802fe Mon Sep 17 00:00:00 2001 From: Sitaram Chamarty Date: Thu, 21 Jan 2010 08:40:26 +0530 Subject: [PATCH 1/2] doc/3: gitweb integ; trailing slash on $projectroot It's not clear whether $projectroot has or does not have a trailing slash. Current code assumes it does, but we need to cater for it not having one also. Otherwise the final reponame ends up with a leading slash, once $projectroot has been stripped from the beginning of the full repo path. --- doc/3-faq-tips-etc.mkd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/3-faq-tips-etc.mkd b/doc/3-faq-tips-etc.mkd index a7ee05a..572d06c 100644 --- a/doc/3-faq-tips-etc.mkd +++ b/doc/3-faq-tips-etc.mkd @@ -347,7 +347,7 @@ already done and we just use it! $export_auth_hook = sub { my $reponame = shift; # gitweb passes us the full repo path; so we strip the beginning... - $reponame =~ s/\Q$projectroot//; + $reponame =~ s/\Q$projectroot\E\/?//; # ...and the end, to get the repo name as it is specified in gitolite conf $reponame =~ s/\.git$//; From b4a65ab73ce7abeaccd5f23c5b0a77d069e029bc Mon Sep 17 00:00:00 2001 From: Sitaram Chamarty Date: Sat, 30 Jan 2010 08:35:43 +0530 Subject: [PATCH 2/2] doc/3: couple of clarifications - deny rules only apply to "W" ops - be more specific about what allows "R" to pass --- doc/3-faq-tips-etc.mkd | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/doc/3-faq-tips-etc.mkd b/doc/3-faq-tips-etc.mkd index 8b82086..4f305d0 100644 --- a/doc/3-faq-tips-etc.mkd +++ b/doc/3-faq-tips-etc.mkd @@ -217,8 +217,8 @@ Note that at this point no git program has entered the picture, and we have no way of knowing what **ref** (branch, tag, etc) he is trying to update, even if it is a "write" operation. -For a "read" operation to pass this check, the username (or `@all`) must be -mentioned on some line in the config for this repo. +For a "read" operation to pass this check, the username (or `@all`) must have +read permission (i.e., R, RW, or RW+) on at least one branch of the repo. For a "write" operation, there is an additional restriction: lines specifying only `R` (read access) don't count. *The user must have write access to @@ -501,7 +501,9 @@ that code path to better use :-) ***IMPORTANT CAVEAT: if you use deny rules, the order of the rules also makes a difference, where earlier it did not. Please review your ruleset carefully or test it. In particular, do not use `@all` in a deny rule -- it won't work -as you might expect***. +as you might expect***. Also, deny rules are only processed in the second +level checks (see "two levels of access rights checking" above), which means +they only apply to write operations. Take a look at the following snippet, which *seems* to say that "bruce" can write versioned tags (anything containing `refs/tags/v[0-9]`), but the other