Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

bug fix: perms propagation to slaves...

Sometime after v3.2, I fixed what looked like an information disclosure
issue, where a user could determine if an arbitrary repo existed or not,
even if he had no rights to see the repo.  This was:

    96cc2ea "new features relating to creating wild repos:"

Unfortunately, this appears to have broken gl-perms propagation to
slaves, because now running "perm -c" on an existing repo dies!

If you run

    git diff 96cc2ea^ <this commit> -- src/commands/perms

you'll see how simple the fix *should* have been :-(
  • Loading branch information...
commit 84424e48b9a89fc9a3784dc4cd640c7420618318 1 parent b303694
Sitaram Chamarty authored
Showing with 14 additions and 14 deletions.
  1. +13 −13 src/commands/perms
  2. +1 −1  t/sequence.t
26 src/commands/perms
View
@@ -43,23 +43,23 @@ if ( $ARGV[0] eq '-l' ) {
getperms(@ARGV); # doesn't return
}
+my $generic_error = "repo does not exist, or you are not authorised";
+
# auto-create the repo if -c passed and repo doesn't exist
if ( $ARGV[0] eq '-c' ) {
shift;
my $repo = $ARGV[0] or usage();
_die "invalid repo '$repo'" unless $repo =~ $REPONAME_PATT;
- my $d = "$rc{GL_REPO_BASE}/$repo.git";
- my $errmsg = "repo already exists or you are not authorised to create it";
- # use the same message in both places to prevent leaking repo existence info
- _die $errmsg if -d $d;
- my $ret = access( $repo, $ENV{GL_USER}, '^C', 'any' );
- _die $errmsg if $ret =~ /DENIED/;
-
- require Gitolite::Conf::Store;
- Gitolite::Conf::Store->import;
- new_wild_repo( $repo, $ENV{GL_USER}, 'perms-c' );
- gl_log( 'create', $repo, $ENV{GL_USER}, 'perms-c' );
+ if (not -d "$rc{GL_REPO_BASE}/$repo.git") {
+ my $ret = access( $repo, $ENV{GL_USER}, '^C', 'any' );
+ _die $generic_error if $ret =~ /DENIED/;
+
+ require Gitolite::Conf::Store;
+ Gitolite::Conf::Store->import;
+ new_wild_repo( $repo, $ENV{GL_USER}, 'perms-c' );
+ gl_log( 'create', $repo, $ENV{GL_USER}, 'perms-c' );
+ }
}
my $repo = shift;
@@ -70,7 +70,7 @@ _system( "gitolite", "trigger", "POST_CREATE", $repo, $ENV{GL_USER}, 'perms' );
sub getperms {
my $repo = shift;
- _die "sorry you are not authorised" if repo_missing($repo) or creator($repo) ne $ENV{GL_USER};
+ _die $generic_error if repo_missing($repo) or creator($repo) ne $ENV{GL_USER};
my $pf = "$rc{GL_REPO_BASE}/$repo.git/gl-perms";
print slurp($pf) if -f $pf;
@@ -79,7 +79,7 @@ sub getperms {
}
sub setperms {
- _die "sorry you are not authorised" if repo_missing($repo) or creator($repo) ne $ENV{GL_USER};
+ _die $generic_error if repo_missing($repo) or creator($repo) ne $ENV{GL_USER};
my $pf = "$rc{GL_REPO_BASE}/$repo.git/gl-perms";
if ( not @_ ) {
2  t/sequence.t
View
@@ -100,7 +100,7 @@ try "
# auto-create using perms fail
echo READERS u5 | glt perms u4 -c foo/u4/baz
!/Initialized empty Git repository in .*/foo/u4/baz.git/
- /FATAL: repo already exists or you are not authorised to create it/
+ /FATAL: repo does not exist, or you are not authorised/
# auto-create using perms
echo READERS u2 | glt perms u1 -c foo/u1/baz
Please sign in to comment.
Something went wrong with that request. Please try again.