new method for passing usergroup info (warning: minor backward compat breakage)
The old method of passing in usergroup info had some problems, which are now fixed. It is also much easier to use now -- no more "wrapper" script, plus it should work identially whether you use sshd or httpd. See doc/big-config.mkd for details on the new method. ---- Notes on problems with the old method: The old method for passing in usergroup info consisted of tacking them on as extra arguments to gl-auth-command, after the username. However, there are some problems with this method. Some actions in gitolite look for permissions for users other than the invoking user. Determining permissions for gitweb and daemon is one. An admin asking for "info" on some other user, is another. However, the list of groups sent in via the command line pertains only to the invoking user, so these actions don't work correctly. They may even pick up the wrong permissions. What it all boils down to is that we need group information for any user dynamically, instead of being passed a (static) list just for the invoking user.
This commit is contained in:
Sitaram Chamarty
parent
ba39d93e28
commit
db0485fa7e
4 changed files with 65 additions and 40 deletions
|
|
@ -40,7 +40,7 @@ our $REPOPATT_PATT=qr(^\@?[0-9a-zA-Z[][\\^.$|()[\]*+?{}0-9a-zA-Z._\@/-]*$);
|
|||
our $ADC_CMD_ARGS_PATT=qr(^[0-9a-zA-Z._\@/+-]*$);
|
||||
|
||||
# these come from the RC file
|
||||
our ($REPO_UMASK, $GL_WILDREPOS, $GL_PACKAGE_CONF, $GL_PACKAGE_HOOKS, $REPO_BASE, $GL_CONF_COMPILED, $GL_BIG_CONFIG, $GL_PERFLOGT, $PROJECTS_LIST, $GL_ALL_INCLUDES_SPECIAL, $GL_SITE_INFO);
|
||||
our ($REPO_UMASK, $GL_WILDREPOS, $GL_PACKAGE_CONF, $GL_PACKAGE_HOOKS, $REPO_BASE, $GL_CONF_COMPILED, $GL_BIG_CONFIG, $GL_PERFLOGT, $PROJECTS_LIST, $GL_ALL_INCLUDES_SPECIAL, $GL_SITE_INFO, $GL_GET_MEMBERSHIPS_PGM);
|
||||
our %repos;
|
||||
our %groups;
|
||||
our %repo_config;
|
||||
|
|
@ -932,6 +932,7 @@ sub special_cmd
|
|||
# - (only for repos) as an indirect wildcard (@g = foo/.*; repo @g).
|
||||
# note: the wildcard stuff does not apply to username memberships
|
||||
|
||||
our %extgroups_cache;
|
||||
sub get_memberships {
|
||||
my $base = shift; # reponame or username
|
||||
my $is_repo = shift; # some true value means a repo name has been passed
|
||||
|
|
@ -969,10 +970,17 @@ sub get_memberships {
|
|||
|
||||
# deal with returning user info first
|
||||
unless ($is_repo) {
|
||||
# add in group membership info sent in via second and subsequent
|
||||
# arguments to gl-auth-command; be sure to prefix the "@" sign to each
|
||||
# of them!
|
||||
push @ret, map { s/^/@/; $_; } split(' ', $ENV{GL_GROUP_LIST}) if $ENV{GL_GROUP_LIST};
|
||||
# bring in group membership info stored externally, by running
|
||||
# $GL_GET_MEMBERSHIPS_PGM if it is defined
|
||||
|
||||
if ($extgroups_cache{$base}) {
|
||||
push @ret, @{ $extgroups_cache{$base} };
|
||||
} elsif ($GL_GET_MEMBERSHIPS_PGM) {
|
||||
my @extgroups = map { s/^/@/; $_; } split ' ', `$GL_GET_MEMBERSHIPS_PGM $base`;
|
||||
$extgroups_cache{$base} = \@extgroups;
|
||||
push @ret, @extgroups;
|
||||
}
|
||||
|
||||
return (@ret);
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue