update-hook/pm: made check_ref a common sub

This commit is contained in:
Sitaram Chamarty 2010-01-31 23:56:58 +05:30 committed by Sitaram Chamarty
parent 0b960cfae2
commit 7f203fc020
2 changed files with 28 additions and 30 deletions

View file

@ -48,6 +48,32 @@ sub log_it {
close $log_fh or die "close log failed: $!\n"; close $log_fh or die "close log failed: $!\n";
} }
# check one ref
sub check_ref {
# normally, the $ref will be whatever ref the commit is trying to update
# (like refs/heads/master or whatever). At least one of the refexes that
# pertain to this user must match this ref **and** the corresponding
# permission must also match the action (W or +) being attempted. If none
# of them match, the access is denied.
# Notice that the function DIES!!! Any future changes that require more
# work to be done *after* this, even on failure, can start using return
# codes etc., but for now we're happy to just die.
my ($allowed_refs, $repo, $ref, $perm) = @_;
for my $ar (@{$allowed_refs}) {
my $refex = (keys %$ar)[0];
# refex? sure -- a regex to match a ref against :)
next unless $ref =~ /^$refex/;
die "$perm $ref $ENV{GL_USER} DENIED by $refex\n" if $ar->{$refex} eq '-';
# as far as *this* ref is concerned we're ok
return $refex if ($ar->{$refex} =~ /\Q$perm/);
}
die "$perm $ref $repo $ENV{GL_USER} DENIED by fallthru\n";
}
# ---------------------------------------------------------------------------- # ----------------------------------------------------------------------------
# where is the rc file hiding? # where is the rc file hiding?
# ---------------------------------------------------------------------------- # ----------------------------------------------------------------------------

View file

@ -85,40 +85,12 @@ if (exists $repos{$ENV{GL_REPO}}{NAME_LIMITS}) {
push @refs, map { chomp; s/^/NAME\//; $_; } `git diff --name-only $oldtree $newtree`; push @refs, map { chomp; s/^/NAME\//; $_; } `git diff --name-only $oldtree $newtree`;
} }
my $refex = '';
# check one ref
sub check_ref {
# normally, the $ref will be whatever ref the commit is trying to update
# (like refs/heads/master or whatever). At least one of the refexes that
# pertain to this user must match this ref **and** the corresponding
# permission must also match the action (W or +) being attempted. If none
# of them match, the access is denied.
# Notice that the function DIES!!! Any future changes that require more
# work to be done *after* this, even on failure, can start using return
# codes etc., but for now we're happy to just die.
my $ref = shift;
for my $ar (@allowed_refs) {
$refex = (keys %$ar)[0];
# refex? sure -- a regex to match a ref against :)
next unless $ref =~ /^$refex/;
die "$perm $ref $ENV{GL_USER} DENIED by $refex\n" if $ar->{$refex} eq '-';
# as far as *this* ref is concerned we're ok
return $refex if ($ar->{$refex} =~ /\Q$perm/);
}
die "$perm $ref $ENV{GL_REPO} $ENV{GL_USER} DENIED by fallthru\n";
}
# and in this version, we have many "refs" to check. The one we print in the # and in this version, we have many "refs" to check. The one we print in the
# log is the *first* one (which is a *real* ref, like refs/heads/master), # log is the *first* one (which is a *real* ref, like refs/heads/master),
# while all the rest (if they exist) are like NAME/something. So we do the # while all the rest (if they exist) are like NAME/something. So we do the
# first one separately to capture it, then run the rest (if any) # first one separately to capture it, then run the rest (if any)
my $log_refex = check_ref(shift @refs); my $log_refex = check_ref(\@allowed_refs, $ENV{GL_REPO}, (shift @refs), $perm);
check_ref($_) for @refs; &check_ref (\@allowed_refs, $ENV{GL_REPO}, $_ , $perm) for @refs;
# if we returned at all, all the checks succeeded, so we log the action and exit 0 # if we returned at all, all the checks succeeded, so we log the action and exit 0