fixup to pushing wild repos permissions...

- fix docs to explicitly state that mirroring wild repos is a bad idea
    if the authentication data is not the same on the peers.

  - an important check against a malicious peer was missed out.  If
    people heed the warning above this check is not really needed but it
    is good for completeness.

  - warning about redirected pushes removed, thanks to Ronald Ip having
    tested it and reported it working.

src/lib/Gitolite/Triggers/Mirroring.pm

@@ -17,6 +17,11 @@ my ( $mode, $master, %slaves, %trusted_slaves );
 sub input {
     return unless $ARGV[0] =~ /^server-(\S+)$/;
 
+    # note: we treat %rc as our own internal "poor man's %ENV"
+    $rc{FROM_SERVER} = $1;
+    trace( 3, "from_server: $1" );
+    my $sender = $rc{FROM_SERVER} || '';
+
     # custom peer-to-peer commands.  At present the only one is 'perms -c',
     # sent from a mirror command
     if ($ENV{SSH_ORIGINAL_COMMAND} =~ /^CREATOR=(\S+) perms -c '(\S+)'$/) {
@@ -26,6 +31,7 @@ sub input {
         details($repo);
         _die "$hn: '$repo' is local"  if $mode eq 'local';
         _die "$hn: '$repo' is native" if $mode eq 'master';
+        _die "$hn: '$sender' is not the master for '$repo'" if $master ne $sender;
 
         # this expects valid perms content on STDIN
         _system("gitolite perms -c $repo");
@@ -34,10 +40,6 @@ sub input {
         exit 0;
     }
 
-    # note: we treat %rc as our own internal "poor man's %ENV"
-    $rc{FROM_SERVER} = $1;
-    trace( 3, "from_server: $1" );
-
     if ( $ENV{SSH_ORIGINAL_COMMAND} =~ /^USER=(\S+) SOC=(git-receive-pack '(\S+)')$/ ) {
         # my ($user, $newsoc, $repo) = ($1, $2, $3);
         $ENV{SSH_ORIGINAL_COMMAND} = $2;