@all for repos is now much cleaner; a true @all...

- no need to put it at the end of the config file now, yeaaay!
  - @all for @all is meaningless and not supported.  People asking will
    be told to get a life or use git-daemon.
  - NAME/ limits for @all repos is ignored for efficiency reasons.
This commit is contained in:
Sitaram Chamarty 2010-03-23 22:20:34 +05:30
parent a3f1258a0a
commit 7bfb3676b7
7 changed files with 28 additions and 26 deletions

View file

@ -107,11 +107,8 @@ repo gitolite
repo @oss_repos
R = @all
# set permissions to all already defined repos
# (a repository is defined if it has permission rules
# associated, empty "repo" stanza or "@group=..." line is
# not enough). *Please* do see doc/3-faq-tips-etc.mkd for
# some important notes on this feature
# set permissions to all repos. *Please* do see
# doc/3-faq-tips-etc.mkd for notes on this feature
repo @all
RW+ = @admins

View file

@ -126,16 +126,12 @@ seem to hurt anything. [Update 2009-09-14; this has been fixed in git
### `@all` syntax for repos
There *is* a way to use the `@all` syntax for repos also, as described in
`conf/example.conf`. However, there is an important difference between this
and the old `@all` (for users):
`conf/example.conf`. However, there are a couple of minor cautions:
* `@all` for repos is immediately expanded, when found, into the currently
known list of repos. "Currently" means upto this point in the config
file, and "known" means having some user with some permissions associated
with the repo!
* This means that if you really want *all* repos, you'd better put this para
at the **end** of the config file!
* don't use `NAME/` or such restrictions on the special `@all` repo. Due to
the potential for defeating a crucial optimisation and slowing down *all*
access, we do not support this.
* don't try giving `@all` users some permission for `@all` repos
### umask setting

View file

@ -185,8 +185,8 @@ allowed to *create* repos matching that pattern.
In addition, there is also the "expand" command, which takes any regex pattern
and returns you a list of all wildcard-created repos that you have access to
which fit that pattern. And if, as an administrator, you wish to list out
*every single* repo that your users have created, add this to the *end* of the
config file:
*every single* repo that your users have created, add this to your config
file:
repo @all
R = sitaram # or whoever you are

View file

@ -76,8 +76,9 @@ $perm = '+' if $ref =~ m(refs/tags/) and $oldsha ne ('0' x 40);
$perm = '+' if $oldsha ne $merge_base;
my @allowed_refs;
# we want specific perms to override @all, so they come first
# @all repos: see comments in similar code in check_access
push @allowed_refs, @ { $repos{$ENV{GL_REPO}}{$ENV{GL_USER}} || [] };
push @allowed_refs, @ { $repos{'@all'} {$ENV{GL_USER}} || [] };
push @allowed_refs, @ { $repos{$ENV{GL_REPO}}{'@all'} || [] };
# prepare the list of refs to be checked
@ -88,6 +89,7 @@ push @allowed_refs, @ { $repos{$ENV{GL_REPO}}{'@all'} || [] };
# been specified
my @refs = ($ref); # the first ref to check is the real one
# because making it work screws up efficiency like no tomorrow...
if (exists $repos{$ENV{GL_REPO}}{NAME_LIMITS}) {
# this is special to git -- the hash of an empty tree
my $empty='4b825dc642cb6eb9a060e54bf8d69288fbee4904';

View file

@ -284,9 +284,13 @@ sub report_basic
system("cat", ($GL_PACKAGE_CONF || "$GL_ADMINDIR/conf") . "/VERSION");
print "\ryou have the following permissions:\r\n";
for my $r (sort keys %repos) {
my $perm .= ( $repos{$r}{C}{'@all'} ? ' @' : ( $repos{$r}{C}{$user} ? ' C' : ' ' ) );
$perm .= ( $repos{$r}{R}{'@all'} ? ' @' : ( $repos{$r}{R}{$user} ? ' R' : ' ' ) );
$perm .= ( $repos{$r}{W}{'@all'} ? ' @' : ( $repos{$r}{W}{$user} ? ' W' : ' ' ) );
# @all repos; meaning of read/write flags:
# @ => @all users are allowed access to this repo
# r/w => you are allowed access to @all repos
# R/W => you are allowed access to this repo
my $perm .= ( $repos{$r}{C}{'@all'} ? ' @' : ( $repos{$r}{C}{$user} ? ' C' : ' ' ) );
$perm .= ( $repos{$r}{R}{'@all'} ? ' @' : ( $repos{'@all'}{R}{$user} ? ' r' : ( $repos{$r}{R}{$user} ? ' R' : ' ' )));
$perm .= ( $repos{$r}{W}{'@all'} ? ' @' : ( $repos{'@all'}{W}{$user} ? ' w' : ( $repos{$r}{W}{$user} ? ' W' : ' ' )));
print "$perm\t$r\r\n" if $perm =~ /\S/;
}
}
@ -333,8 +337,9 @@ sub expand_wild
$creater = "($creater)";
}
my $perm = ' ';
$perm .= ( $repos{$actual_repo}{R}{'@all'} ? ' @' : ( $repos{$actual_repo}{R}{$user} ? ' R' : ' ' ) );
$perm .= ( $repos{$actual_repo}{W}{'@all'} ? ' @' : ( $repos{$actual_repo}{W}{$user} ? ' W' : ' ' ) );
# @all repos; see notes above
$perm .= ( $repos{$actual_repo}{R}{'@all'} ? ' @' : ( $repos{'@all'}{R}{$user} ? ' r' : ( $repos{$actual_repo}{R}{$user} ? ' R' : ' ' )));
$perm .= ( $repos{$actual_repo}{W}{'@all'} ? ' @' : ( $repos{'@all'}{W}{$user} ? ' w' : ( $repos{$actual_repo}{W}{$user} ? ' W' : ' ' )));
next if $perm eq ' ';
print "$perm\t$creater\t$actual_repo\n";
}
@ -390,8 +395,11 @@ sub check_access
# bit, sadly), this code duplicates stuff in the current update hook.
my @allowed_refs;
# we want specific perms to override @all, so they come first
# user+repo specific perms override everything else, so they come first.
# Then perms given to specific user for @all repos, and finally perms
# given to @all users for specific repo
push @allowed_refs, @ { $repos{$repo}{$ENV{GL_USER}} || [] };
push @allowed_refs, @ { $repos{'@all'}{$ENV{GL_USER}} || [] };
push @allowed_refs, @ { $repos{$repo}{'@all'} || [] };
&check_ref(\@allowed_refs, $repo, $ref, $perm);

View file

@ -188,6 +188,7 @@ my $perm = ($verb =~ $R_COMMANDS ? 'R' : 'W');
die "$perm access for $repo DENIED to $user\n"
unless $repos{$repo}{$perm}{$user}
or $repos{'@all'}{$perm}{$user} # new: access to @all repos
or $repos{$repo}{$perm}{'@all'};
# ----------------------------------------------------------------------------

View file

@ -184,9 +184,7 @@ sub parse_conf_file
{
# grab the list and expand any @stuff in it
@repos = split ' ', $1;
if (@repos == 1 and $repos[0] eq '@all') {
@repos = keys %repos;
} else {
unless (@repos == 1 and $repos[0] eq '@all') {
@repos = expand_list ( @repos );
do { die "$ABRT bad reponame $_\n" unless ($GL_WILDREPOS ? $_ =~ $REPOPATT_PATT : $_ =~ $REPONAME_PATT) } for @repos;
}