compile/update hook: COMPILED FILE CHANGE -- PLEASE READ BELOW
Summary: DONT forget to run src/gl-compile-conf as the last step in the upgrade Details: The compiled file format has changed quite a bit, to make it easier for the rebel edition coming up :-) compile: - we don't split RW/RW+ into individual perms anymore - we store the info required for the first level check separately now: (repo, R/W, user) - the order for second level check is now: repo, user, [{ref=>perms}...] (list of hashes) update hook logic: the first refex that: - matches the incoming ref, AND - contains the perm you're trying to use, causes the match loop to exit with success. Fallthrough is failure
This commit is contained in:
parent
2285e75c22
commit
978046acb9
|
@ -42,6 +42,12 @@ And you're done.
|
|||
If any extra steps beyond the generic ones above are needed, they will be
|
||||
listed here, newest first.
|
||||
|
||||
#### upgrading from 86faae4
|
||||
|
||||
Between 86faae4 and this version, gitolite had a *major* change in the
|
||||
*internal* format of the compiled config file. Please do not omit step 5 in
|
||||
the generic instructions above.
|
||||
|
||||
#### upgrading from 5758f69
|
||||
|
||||
Between 5758f69 and this version, gitolite learnt to allow "groupnames" for
|
||||
|
|
|
@ -3,6 +3,7 @@
|
|||
use strict;
|
||||
use warnings;
|
||||
use Data::Dumper;
|
||||
$Data::Dumper::Indent = 1;
|
||||
|
||||
# === add-auth-keys ===
|
||||
|
||||
|
@ -146,8 +147,7 @@ while (<$conf_fh>)
|
|||
# actual permission line
|
||||
elsif (/^(R|RW|RW\+) (.* )?= (.+)/)
|
||||
{
|
||||
# split perms to separate out R, W, and +
|
||||
my @perms = split //, $1;
|
||||
my $perms = $1;
|
||||
my @refs; @refs = split(' ', $2) if $2;
|
||||
my @users = split ' ', $3;
|
||||
|
||||
|
@ -164,12 +164,17 @@ while (<$conf_fh>)
|
|||
|
||||
# ok, we can finally populate the %repos hash
|
||||
for my $repo (@repos) # each repo in the current stanza
|
||||
{
|
||||
for my $perm (@perms)
|
||||
{
|
||||
for my $user (@users)
|
||||
{
|
||||
push @{ $repos{$repo}{$perm}{$user} }, @refs;
|
||||
# for 1st level check (see faq/tips doc)
|
||||
$repos{$repo}{R}{$user} = 1 if $perms =~ /R/;
|
||||
$repos{$repo}{W}{$user} = 1 if $perms =~ /W/;
|
||||
|
||||
# for 2nd level check, store each "ref, perms" pair in order
|
||||
for my $ref (@refs)
|
||||
{
|
||||
push @{ $repos{$repo}{$user} }, { $ref => $perms };
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -58,13 +58,17 @@ $perm = '+' if $ref =~ m(refs/tags/) and $oldsha ne ('0' x 40);
|
|||
$perm = '+' if $oldsha ne $merge_base;
|
||||
|
||||
my @allowed_refs;
|
||||
push @allowed_refs, @ { $repos{$ENV{GL_REPO}}{$perm}{$ENV{GL_USER}} || [] };
|
||||
push @allowed_refs, @ { $repos{$ENV{GL_REPO}}{$perm}{'@all'} || [] };
|
||||
push @allowed_refs, "$PERSONAL/$ENV{GL_USER}/" if $PERSONAL;
|
||||
for my $refex (@allowed_refs)
|
||||
# refex? sure -- a regex to match a ref against :)
|
||||
# personal stuff -- right at the start in the new regime, I guess!
|
||||
push @allowed_refs, { "$PERSONAL/$ENV{GL_USER}/" => "RW+" } if $PERSONAL;
|
||||
# we want specific perms to override @all, so they come first
|
||||
push @allowed_refs, @ { $repos{$ENV{GL_REPO}}{$ENV{GL_USER}} || [] };
|
||||
push @allowed_refs, @ { $repos{$ENV{GL_REPO}}{'@all'} || [] };
|
||||
for my $ar (@allowed_refs)
|
||||
{
|
||||
if ($ref =~ /$refex/)
|
||||
my $refex = (keys %$ar)[0];
|
||||
# refex? sure -- a regex to match a ref against :)
|
||||
next unless $ref =~ /$refex/;
|
||||
if ($ar->{$refex} =~ /\Q$perm/)
|
||||
{
|
||||
# if log failure isn't important enough to block pushes, get rid of
|
||||
# all the error checking
|
||||
|
@ -72,9 +76,9 @@ for my $refex (@allowed_refs)
|
|||
or die "open log failed: $!\n";
|
||||
print $log_fh "$ENV{GL_TS} $perm\t" .
|
||||
substr($oldsha, 0, 14) . "\t" . substr($newsha, 0, 14) .
|
||||
"\t$ENV{GL_REPO}\t$ref\t$ENV{GL_USER}\n";
|
||||
"\t$ENV{GL_REPO}\t$ref\t$ENV{GL_USER}\t$refex\n";
|
||||
close $log_fh or die "close log failed: $!\n";
|
||||
exit 0;
|
||||
}
|
||||
}
|
||||
exit 1;
|
||||
die "$perm $ref $ENV{GL_USER} DENIED by fallthru\n";
|
||||
|
|
Loading…
Reference in a new issue