Revert "compile, parse_acl: treat foo/CREATER (no regex metas) correctly"

This reverts commit 33fc0a7e9f.

Was causing too much trouble with access reporting (basic and expanded)
because of the extra ^ at the start...

The paranoia referred to in that commit was this sequence:

  - admin creates a named (non wildcard) repo using config file push
  - somehow that gets deleted (OS error, corruption, ...)
  - admin just asks anyone with a current repo to push it to auto-revive
    it (because we allow people with "W" access to non-wildcard repos to
    auto-viv repos)
  - if you're treating this the same as a wildcard creation, you end up
    making this guy the "creater" of that repo, which means he can add
    users etc...

We resolve that paranois by disallowing autoviv of "W" access repos at
all...  Only "C" access repos can be autovived by a user (this will be
in the next commit)
This commit is contained in:
Sitaram Chamarty 2009-12-21 17:33:53 +05:30
parent 714e214258
commit 981d693dec
2 changed files with 2 additions and 12 deletions

View file

@ -179,15 +179,9 @@ sub parse_acl
return unless $repo; return unless $repo;
return $ENV{GL_REPOPATT} = "" if $repos{$repo}; return $ENV{GL_REPOPATT} = "" if $repos{$repo};
my @matched = grep { $repo =~ /^$_$/ } sort keys %repos;
# didn't find $repo in %repos, so it must be a wildcard-match case
# note that the repo regexes in %repos have a leading ^ but not a trailing
# $; we need to add the $ here to complete the "line-anchoring"
my @matched = grep { $repo =~ /$_$/ } sort keys %repos;
die "$repo has no matches\n" unless @matched; die "$repo has no matches\n" unless @matched;
die "$repo has multiple matches\n@matched\n" if @matched > 1; die "$repo has multiple matches\n@matched\n" if @matched > 1;
# found exactly one pattern that matched, copy its ACL # found exactly one pattern that matched, copy its ACL
$repos{$repo} = $repos{$matched[0]}; $repos{$repo} = $repos{$matched[0]};
# and return the pattern # and return the pattern

View file

@ -195,11 +195,7 @@ sub parse_conf_file
@repos = split ' ', $1; @repos = split ' ', $1;
@repos = expand_list ( @repos ); @repos = expand_list ( @repos );
# CREAT[EO]R must be changed to $creater. Also, prefix a "^" to s/\bCREAT[EO]R\b/\$creater/g for @repos;
# force it to look like a regex. Otherwise, foo/CREATER/bar (no
# regex metas) looks like an ordinary reponame, and the logic (in
# gl-auth) that decides when to allow autovivify gets confused.
s/\bCREAT[EO]R\b/\$creater/g && s/^/^/ for @repos;
} }
# actual permission line # actual permission line
elsif (/^(-|C|R|RW|RW\+) (.* )?= (.+)/) elsif (/^(-|C|R|RW|RW\+) (.* )?= (.+)/)