deac/gitolite
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

@all for repos is now much cleaner; a true @all...

Browse source 
- no need to put it at the end of the config file now, yeaaay!
  - @all for @all is meaningless and not supported.  People asking will
    be told to get a life or use git-daemon.
  - NAME/ limits for @all repos is ignored for efficiency reasons.
This commit is contained in:
Sitaram Chamarty 2010-03-23 22:20:34 +05:30
parent a3f1258a0a
commit 7bfb3676b7
7 changed files with 28 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
conf/example.conf
View file

@ -107,11 +107,8 @@ repo gitolite
repo @oss_repos repo @oss_repos
R = @all R = @all
# set permissions to all already defined repos # set permissions to all repos. *Please* do see
# (a repository is defined if it has permission rules # doc/3-faq-tips-etc.mkd for notes on this feature
# associated, empty "repo" stanza or "@group=..." line is
# not enough). *Please* do see doc/3-faq-tips-etc.mkd for
# some important notes on this feature
repo @all repo @all
RW+ = @admins RW+ = @admins

14
doc/3-faq-tips-etc.mkd
View file

@ -126,16 +126,12 @@ seem to hurt anything. [Update 2009-09-14; this has been fixed in git
### `@all` syntax for repos ### `@all` syntax for repos
There *is* a way to use the `@all` syntax for repos also, as described in There *is* a way to use the `@all` syntax for repos also, as described in
`conf/example.conf`. However, there is an important difference between this `conf/example.conf`. However, there are a couple of minor cautions:
and the old `@all` (for users):
* `@all` for repos is immediately expanded, when found, into the currently * don't use `NAME/` or such restrictions on the special `@all` repo. Due to
known list of repos. "Currently" means upto this point in the config the potential for defeating a crucial optimisation and slowing down *all*
file, and "known" means having some user with some permissions associated access, we do not support this.
with the repo! * don't try giving `@all` users some permission for `@all` repos
* This means that if you really want *all* repos, you'd better put this para
at the **end** of the config file!
### umask setting ### umask setting

4
doc/4-wildcard-repositories.mkd
View file

@ -185,8 +185,8 @@ allowed to *create* repos matching that pattern.
In addition, there is also the "expand" command, which takes any regex pattern In addition, there is also the "expand" command, which takes any regex pattern
and returns you a list of all wildcard-created repos that you have access to and returns you a list of all wildcard-created repos that you have access to
which fit that pattern. And if, as an administrator, you wish to list out which fit that pattern. And if, as an administrator, you wish to list out
*every single* repo that your users have created, add this to the *end* of the *every single* repo that your users have created, add this to your config
config file: file:
repo @all repo @all
R = sitaram # or whoever you are R = sitaram # or whoever you are

4
hooks/common/update
View file

@ -76,8 +76,9 @@ $perm = '+' if $ref =~ m(refs/tags/) and $oldsha ne ('0' x 40);
$perm = '+' if $oldsha ne $merge_base; $perm = '+' if $oldsha ne $merge_base;
my @allowed_refs; my @allowed_refs;
# we want specific perms to override @all, so they come first # @all repos: see comments in similar code in check_access
push @allowed_refs, @ { $repos{$ENV{GL_REPO}}{$ENV{GL_USER}} || [] }; push @allowed_refs, @ { $repos{$ENV{GL_REPO}}{$ENV{GL_USER}} || [] };
push @allowed_refs, @ { $repos{'@all'} {$ENV{GL_USER}} || [] };
push @allowed_refs, @ { $repos{$ENV{GL_REPO}}{'@all'} || [] }; push @allowed_refs, @ { $repos{$ENV{GL_REPO}}{'@all'} || [] };
# prepare the list of refs to be checked # prepare the list of refs to be checked
@ -88,6 +89,7 @@ push @allowed_refs, @ { $repos{$ENV{GL_REPO}}{'@all'} || [] };
# been specified # been specified
my @refs = ($ref); # the first ref to check is the real one my @refs = ($ref); # the first ref to check is the real one
# because making it work screws up efficiency like no tomorrow...
if (exists $repos{$ENV{GL_REPO}}{NAME_LIMITS}) { if (exists $repos{$ENV{GL_REPO}}{NAME_LIMITS}) {
# this is special to git -- the hash of an empty tree # this is special to git -- the hash of an empty tree
my $empty='4b825dc642cb6eb9a060e54bf8d69288fbee4904'; my $empty='4b825dc642cb6eb9a060e54bf8d69288fbee4904';

20
src/gitolite.pm
View file

@ -284,9 +284,13 @@ sub report_basic
system("cat", ($GL_PACKAGE_CONF || "$GL_ADMINDIR/conf") . "/VERSION"); system("cat", ($GL_PACKAGE_CONF || "$GL_ADMINDIR/conf") . "/VERSION");
print "\ryou have the following permissions:\r\n"; print "\ryou have the following permissions:\r\n";
for my $r (sort keys %repos) { for my $r (sort keys %repos) {
my $perm .= ( $repos{$r}{C}{'@all'} ? ' @' : ( $repos{$r}{C}{$user} ? ' C' : ' ' ) ); # @all repos; meaning of read/write flags:
$perm .= ( $repos{$r}{R}{'@all'} ? ' @' : ( $repos{$r}{R}{$user} ? ' R' : ' ' ) ); # @ => @all users are allowed access to this repo
$perm .= ( $repos{$r}{W}{'@all'} ? ' @' : ( $repos{$r}{W}{$user} ? ' W' : ' ' ) ); # r/w => you are allowed access to @all repos
# R/W => you are allowed access to this repo
my $perm .= ( $repos{$r}{C}{'@all'} ? ' @' : ( $repos{$r}{C}{$user} ? ' C' : ' ' ) );
$perm .= ( $repos{$r}{R}{'@all'} ? ' @' : ( $repos{'@all'}{R}{$user} ? ' r' : ( $repos{$r}{R}{$user} ? ' R' : ' ' )));
$perm .= ( $repos{$r}{W}{'@all'} ? ' @' : ( $repos{'@all'}{W}{$user} ? ' w' : ( $repos{$r}{W}{$user} ? ' W' : ' ' )));
print "$perm\t$r\r\n" if $perm =~ /\S/; print "$perm\t$r\r\n" if $perm =~ /\S/;
} }
} }
@ -333,8 +337,9 @@ sub expand_wild
$creater = "($creater)"; $creater = "($creater)";
} }
my $perm = ' '; my $perm = ' ';
$perm .= ( $repos{$actual_repo}{R}{'@all'} ? ' @' : ( $repos{$actual_repo}{R}{$user} ? ' R' : ' ' ) ); # @all repos; see notes above
$perm .= ( $repos{$actual_repo}{W}{'@all'} ? ' @' : ( $repos{$actual_repo}{W}{$user} ? ' W' : ' ' ) ); $perm .= ( $repos{$actual_repo}{R}{'@all'} ? ' @' : ( $repos{'@all'}{R}{$user} ? ' r' : ( $repos{$actual_repo}{R}{$user} ? ' R' : ' ' )));
$perm .= ( $repos{$actual_repo}{W}{'@all'} ? ' @' : ( $repos{'@all'}{W}{$user} ? ' w' : ( $repos{$actual_repo}{W}{$user} ? ' W' : ' ' )));
next if $perm eq ' '; next if $perm eq ' ';
print "$perm\t$creater\t$actual_repo\n"; print "$perm\t$creater\t$actual_repo\n";
} }
@ -390,8 +395,11 @@ sub check_access
# bit, sadly), this code duplicates stuff in the current update hook. # bit, sadly), this code duplicates stuff in the current update hook.
my @allowed_refs; my @allowed_refs;
# we want specific perms to override @all, so they come first # user+repo specific perms override everything else, so they come first.
# Then perms given to specific user for @all repos, and finally perms
# given to @all users for specific repo
push @allowed_refs, @ { $repos{$repo}{$ENV{GL_USER}} || [] }; push @allowed_refs, @ { $repos{$repo}{$ENV{GL_USER}} || [] };
push @allowed_refs, @ { $repos{'@all'}{$ENV{GL_USER}} || [] };
push @allowed_refs, @ { $repos{$repo}{'@all'} || [] }; push @allowed_refs, @ { $repos{$repo}{'@all'} || [] };
&check_ref(\@allowed_refs, $repo, $ref, $perm); &check_ref(\@allowed_refs, $repo, $ref, $perm);

1
src/gl-auth-command
View file

@ -188,6 +188,7 @@ my $perm = ($verb =~ $R_COMMANDS ? 'R' : 'W');
die "$perm access for $repo DENIED to $user\n" die "$perm access for $repo DENIED to $user\n"
unless $repos{$repo}{$perm}{$user} unless $repos{$repo}{$perm}{$user}
or $repos{'@all'}{$perm}{$user} # new: access to @all repos
or $repos{$repo}{$perm}{'@all'}; or $repos{$repo}{$perm}{'@all'};
# ---------------------------------------------------------------------------- # ----------------------------------------------------------------------------

4
src/gl-compile-conf
View file

@ -184,9 +184,7 @@ sub parse_conf_file
{ {
# grab the list and expand any @stuff in it # grab the list and expand any @stuff in it
@repos = split ' ', $1; @repos = split ' ', $1;
if (@repos == 1 and $repos[0] eq '@all') { unless (@repos == 1 and $repos[0] eq '@all') {
@repos = keys %repos;
} else {
@repos = expand_list ( @repos ); @repos = expand_list ( @repos );
do { die "$ABRT bad reponame $_\n" unless ($GL_WILDREPOS ? $_ =~ $REPOPATT_PATT : $_ =~ $REPONAME_PATT) } for @repos; do { die "$ABRT bad reponame $_\n" unless ($GL_WILDREPOS ? $_ =~ $REPOPATT_PATT : $_ =~ $REPONAME_PATT) } for @repos;
} }