Permalink
Browse files

compile/update hook: COMPILED FILE CHANGE -- PLEASE READ BELOW

Summary:
    DONT forget to run src/gl-compile-conf as the last step in the upgrade

Details:

The compiled file format has changed quite a bit, to make it easier for the
rebel edition coming up :-)

compile:
  - we don't split RW/RW+ into individual perms anymore
  - we store the info required for the first level check separately now:
    (repo, R/W, user)
  - the order for second level check is now:
    repo, user, [{ref=>perms}...] (list of hashes)

update hook logic: the first refex that:
  - matches the incoming ref, AND
  - contains the perm you're trying to use,
causes the match loop to exit with success.  Fallthrough is failure
  • Loading branch information...
1 parent 2285e75 commit 978046acb9d7adb9d352eb275f20f958cbe46551 Sitaram Chamarty committed with Sitaram Chamarty Sep 18, 2009
Showing with 28 additions and 13 deletions.
  1. +6 −0 doc/0-UPGRADE.mkd
  2. +10 −5 src/gl-compile-conf
  3. +12 −8 src/update-hook.pl
View
@@ -42,6 +42,12 @@ And you're done.
If any extra steps beyond the generic ones above are needed, they will be
listed here, newest first.
+#### upgrading from 86faae4
+
+Between 86faae4 and this version, gitolite had a *major* change in the
+*internal* format of the compiled config file. Please do not omit step 5 in
+the generic instructions above.
+
#### upgrading from 5758f69
Between 5758f69 and this version, gitolite learnt to allow "groupnames" for
View
@@ -3,6 +3,7 @@
use strict;
use warnings;
use Data::Dumper;
+$Data::Dumper::Indent = 1;
# === add-auth-keys ===
@@ -146,8 +147,7 @@ while (<$conf_fh>)
# actual permission line
elsif (/^(R|RW|RW\+) (.* )?= (.+)/)
{
- # split perms to separate out R, W, and +
- my @perms = split //, $1;
+ my $perms = $1;
my @refs; @refs = split(' ', $2) if $2;
my @users = split ' ', $3;
@@ -165,11 +165,16 @@ while (<$conf_fh>)
# ok, we can finally populate the %repos hash
for my $repo (@repos) # each repo in the current stanza
{
- for my $perm (@perms)
+ for my $user (@users)
{
- for my $user (@users)
+ # for 1st level check (see faq/tips doc)
+ $repos{$repo}{R}{$user} = 1 if $perms =~ /R/;
+ $repos{$repo}{W}{$user} = 1 if $perms =~ /W/;
+
+ # for 2nd level check, store each "ref, perms" pair in order
+ for my $ref (@refs)
{
- push @{ $repos{$repo}{$perm}{$user} }, @refs;
+ push @{ $repos{$repo}{$user} }, { $ref => $perms };
}
}
}
View
@@ -58,23 +58,27 @@
$perm = '+' if $oldsha ne $merge_base;
my @allowed_refs;
-push @allowed_refs, @ { $repos{$ENV{GL_REPO}}{$perm}{$ENV{GL_USER}} || [] };
-push @allowed_refs, @ { $repos{$ENV{GL_REPO}}{$perm}{'@all'} || [] };
-push @allowed_refs, "$PERSONAL/$ENV{GL_USER}/" if $PERSONAL;
-for my $refex (@allowed_refs)
-# refex? sure -- a regex to match a ref against :)
+# personal stuff -- right at the start in the new regime, I guess!
+push @allowed_refs, { "$PERSONAL/$ENV{GL_USER}/" => "RW+" } if $PERSONAL;
+# we want specific perms to override @all, so they come first
+push @allowed_refs, @ { $repos{$ENV{GL_REPO}}{$ENV{GL_USER}} || [] };
+push @allowed_refs, @ { $repos{$ENV{GL_REPO}}{'@all'} || [] };
+for my $ar (@allowed_refs)
{
- if ($ref =~ /$refex/)
+ my $refex = (keys %$ar)[0];
+ # refex? sure -- a regex to match a ref against :)
+ next unless $ref =~ /$refex/;
+ if ($ar->{$refex} =~ /\Q$perm/)
{
# if log failure isn't important enough to block pushes, get rid of
# all the error checking
open my $log_fh, ">>", $ENV{GL_LOG}
or die "open log failed: $!\n";
print $log_fh "$ENV{GL_TS} $perm\t" .
substr($oldsha, 0, 14) . "\t" . substr($newsha, 0, 14) .
- "\t$ENV{GL_REPO}\t$ref\t$ENV{GL_USER}\n";
+ "\t$ENV{GL_REPO}\t$ref\t$ENV{GL_USER}\t$refex\n";
close $log_fh or die "close log failed: $!\n";
exit 0;
}
}
-exit 1;
+die "$perm $ref $ENV{GL_USER} DENIED by fallthru\n";

0 comments on commit 978046a

Please sign in to comment.