From 981d693dec7e01fed4da502964b38df6101762a1 Mon Sep 17 00:00:00 2001 From: Sitaram Chamarty Date: Mon, 21 Dec 2009 17:33:53 +0530 Subject: [PATCH] Revert "compile, parse_acl: treat foo/CREATER (no regex metas) correctly" This reverts commit 33fc0a7e9fe98dac1eec284119cf47509d68ab8c. Was causing too much trouble with access reporting (basic and expanded) because of the extra ^ at the start... The paranoia referred to in that commit was this sequence: - admin creates a named (non wildcard) repo using config file push - somehow that gets deleted (OS error, corruption, ...) - admin just asks anyone with a current repo to push it to auto-revive it (because we allow people with "W" access to non-wildcard repos to auto-viv repos) - if you're treating this the same as a wildcard creation, you end up making this guy the "creater" of that repo, which means he can add users etc... We resolve that paranois by disallowing autoviv of "W" access repos at all... Only "C" access repos can be autovived by a user (this will be in the next commit) --- src/gitolite.pm | 8 +------- src/gl-compile-conf | 6 +----- 2 files changed, 2 insertions(+), 12 deletions(-) diff --git a/src/gitolite.pm b/src/gitolite.pm index 23f7e23..657c0fa 100644 --- a/src/gitolite.pm +++ b/src/gitolite.pm @@ -179,15 +179,9 @@ sub parse_acl return unless $repo; return $ENV{GL_REPOPATT} = "" if $repos{$repo}; - - # didn't find $repo in %repos, so it must be a wildcard-match case - - # note that the repo regexes in %repos have a leading ^ but not a trailing - # $; we need to add the $ here to complete the "line-anchoring" - my @matched = grep { $repo =~ /$_$/ } sort keys %repos; + my @matched = grep { $repo =~ /^$_$/ } sort keys %repos; die "$repo has no matches\n" unless @matched; die "$repo has multiple matches\n@matched\n" if @matched > 1; - # found exactly one pattern that matched, copy its ACL $repos{$repo} = $repos{$matched[0]}; # and return the pattern diff --git a/src/gl-compile-conf b/src/gl-compile-conf index 9da28ed..7d8e1d9 100755 --- a/src/gl-compile-conf +++ b/src/gl-compile-conf @@ -195,11 +195,7 @@ sub parse_conf_file @repos = split ' ', $1; @repos = expand_list ( @repos ); - # CREAT[EO]R must be changed to $creater. Also, prefix a "^" to - # force it to look like a regex. Otherwise, foo/CREATER/bar (no - # regex metas) looks like an ordinary reponame, and the logic (in - # gl-auth) that decides when to allow autovivify gets confused. - s/\bCREAT[EO]R\b/\$creater/g && s/^/^/ for @repos; + s/\bCREAT[EO]R\b/\$creater/g for @repos; } # actual permission line elsif (/^(-|C|R|RW|RW\+) (.* )?= (.+)/)