@all for repos is now much cleaner; a true @all...

- no need to put it at the end of the config file now, yeaaay! - @all for @all is meaningless and not supported. People asking will be told to get a life or use git-daemon. - NAME/ limits for @all repos is ignored for efficiency reasons.
2010-03-23 22:20:34 +05:30 · 2010-03-23 22:20:34 +05:30 · 7bfb3676b7
parent a3f1258a0a
commit 7bfb3676b7
7 changed files with 28 additions and 26 deletions
--- a/conf/example.conf
+++ b/conf/example.conf
@ -107,11 +107,8 @@ repo    gitolite
 repo    @oss_repos
        R                               =   @all

-                # set permissions to all already defined repos
-                # (a repository is defined if it has permission rules
-                # associated, empty "repo" stanza or "@group=..." line is
-                # not enough).  *Please* do see doc/3-faq-tips-etc.mkd for
-                # some important notes on this feature
+                # set permissions to all repos.  *Please* do see
+                # doc/3-faq-tips-etc.mkd for notes on this feature
 repo    @all
        RW+                             =   @admins

--- a/doc/3-faq-tips-etc.mkd
+++ b/doc/3-faq-tips-etc.mkd
@ -126,16 +126,12 @@ seem to hurt anything.  [Update 2009-09-14; this has been fixed in git
 ### `@all` syntax for repos

 There *is* a way to use the `@all` syntax for repos also, as described in
-`conf/example.conf`.  However, there is an important difference between this
-and the old `@all` (for users):
+`conf/example.conf`.  However, there are a couple of minor cautions:

-  * `@all` for repos is immediately expanded, when found, into the currently
-    known list of repos.  "Currently" means upto this point in the config
-    file, and "known" means having some user with some permissions associated
-    with the repo!
-
-  * This means that if you really want *all* repos, you'd better put this para
-    at the **end** of the config file!
+  * don't use `NAME/` or such restrictions on the special `@all` repo.  Due to
+    the potential for defeating a crucial optimisation and slowing down *all*
+    access, we do not support this.
+  * don't try giving `@all` users some permission for `@all` repos

 ### umask setting

--- a/doc/4-wildcard-repositories.mkd
+++ b/doc/4-wildcard-repositories.mkd
@ -185,8 +185,8 @@ allowed to *create* repos matching that pattern.
 In addition, there is also the "expand" command, which takes any regex pattern
 and returns you a list of all wildcard-created repos that you have access to
 which fit that pattern.  And if, as an administrator, you wish to list out
-*every single* repo that your users have created, add this to the *end* of the
-config file:
+*every single* repo that your users have created, add this to your config
+file:

    repo @all
        R       =   sitaram     # or whoever you are
--- a/hooks/common/update
+++ b/hooks/common/update
@ -76,8 +76,9 @@ $perm = '+' if $ref =~ m(refs/tags/) and $oldsha ne ('0' x 40);
 $perm = '+' if $oldsha ne $merge_base;

 my @allowed_refs;
-# we want specific perms to override @all, so they come first
+# @all repos: see comments in similar code in check_access
 push @allowed_refs, @ { $repos{$ENV{GL_REPO}}{$ENV{GL_USER}} || [] };
+push @allowed_refs, @ { $repos{'@all'}       {$ENV{GL_USER}} || [] };
 push @allowed_refs, @ { $repos{$ENV{GL_REPO}}{'@all'} || [] };

 # prepare the list of refs to be checked
@ -88,6 +89,7 @@ push @allowed_refs, @ { $repos{$ENV{GL_REPO}}{'@all'} || [] };
 # been specified

 my @refs = ($ref);      # the first ref to check is the real one
+# because making it work screws up efficiency like no tomorrow...
 if (exists $repos{$ENV{GL_REPO}}{NAME_LIMITS}) {
    # this is special to git -- the hash of an empty tree
    my $empty='4b825dc642cb6eb9a060e54bf8d69288fbee4904';
--- a/src/gitolite.pm
+++ b/src/gitolite.pm
@ -284,9 +284,13 @@ sub report_basic
    system("cat", ($GL_PACKAGE_CONF || "$GL_ADMINDIR/conf") . "/VERSION");
    print "\ryou have the following permissions:\r\n";
    for my $r (sort keys %repos) {
-        my $perm .= ( $repos{$r}{C}{'@all'} ? ' @' : ( $repos{$r}{C}{$user} ? ' C' : '  ' ) );
-        $perm    .= ( $repos{$r}{R}{'@all'} ? ' @' : ( $repos{$r}{R}{$user} ? ' R' : '  ' ) );
-        $perm    .= ( $repos{$r}{W}{'@all'} ? ' @' : ( $repos{$r}{W}{$user} ? ' W' : '  ' ) );
+        # @all repos; meaning of read/write flags:
+        #   @ => @all users are allowed access to this repo
+        # r/w => you        are allowed access to @all repos
+        # R/W => you        are allowed access to this repo
+        my $perm .= ( $repos{$r}{C}{'@all'} ? ' @' :                                     ( $repos{$r}{C}{$user} ? ' C' : '  ' ) );
+        $perm    .= ( $repos{$r}{R}{'@all'} ? ' @' : ( $repos{'@all'}{R}{$user} ? ' r' : ( $repos{$r}{R}{$user} ? ' R' : '  ' )));
+        $perm    .= ( $repos{$r}{W}{'@all'} ? ' @' : ( $repos{'@all'}{W}{$user} ? ' w' : ( $repos{$r}{W}{$user} ? ' W' : '  ' )));
        print "$perm\t$r\r\n" if $perm =~ /\S/;
    }
 }
@ -333,8 +337,9 @@ sub expand_wild
            $creater = "($creater)";
        }
        my $perm = '  ';
-        $perm .= ( $repos{$actual_repo}{R}{'@all'} ? ' @' : ( $repos{$actual_repo}{R}{$user} ? ' R' : '  ' ) );
-        $perm .= ( $repos{$actual_repo}{W}{'@all'} ? ' @' : ( $repos{$actual_repo}{W}{$user} ? ' W' : '  ' ) );
+        # @all repos; see notes above
+        $perm .= ( $repos{$actual_repo}{R}{'@all'} ? ' @' : ( $repos{'@all'}{R}{$user} ? ' r' : ( $repos{$actual_repo}{R}{$user} ? ' R' : '  ' )));
+        $perm .= ( $repos{$actual_repo}{W}{'@all'} ? ' @' : ( $repos{'@all'}{W}{$user} ? ' w' : ( $repos{$actual_repo}{W}{$user} ? ' W' : '  ' )));
        next if $perm eq '      ';
        print "$perm\t$creater\t$actual_repo\n";
    }
@ -390,8 +395,11 @@ sub check_access
    # bit, sadly), this code duplicates stuff in the current update hook.

    my @allowed_refs;
-    # we want specific perms to override @all, so they come first
+    # user+repo specific perms override everything else, so they come first.
+    # Then perms given to specific user for @all repos, and finally perms
+    # given to @all users for specific repo
    push @allowed_refs, @ { $repos{$repo}{$ENV{GL_USER}} || [] };
+    push @allowed_refs, @ { $repos{'@all'}{$ENV{GL_USER}} || [] };
    push @allowed_refs, @ { $repos{$repo}{'@all'} || [] };

    &check_ref(\@allowed_refs, $repo, $ref, $perm);
--- a/src/gl-auth-command
+++ b/src/gl-auth-command
@ -188,6 +188,7 @@ my $perm = ($verb =~ $R_COMMANDS ? 'R' : 'W');

 die "$perm access for $repo DENIED to $user\n"
    unless $repos{$repo}{$perm}{$user}
+        or $repos{'@all'}{$perm}{$user}     # new: access to @all repos
        or $repos{$repo}{$perm}{'@all'};

 # ----------------------------------------------------------------------------
--- a/src/gl-compile-conf
+++ b/src/gl-compile-conf
@ -184,9 +184,7 @@ sub parse_conf_file
        {
            # grab the list and expand any @stuff in it
            @repos = split ' ', $1;
-            if (@repos == 1 and $repos[0] eq '@all') {
-                @repos = keys %repos;
-            } else {
+            unless (@repos == 1 and $repos[0] eq '@all') {
                @repos = expand_list ( @repos );
                do  { die "$ABRT bad reponame $_\n" unless ($GL_WILDREPOS ? $_ =~ $REPOPATT_PATT : $_ =~ $REPONAME_PATT) } for @repos;
            }