I changed my mind: remote automate access should be prevented for

private projects and we should also take care that the symlink that
enables it is dynamically created / removed when the private flag
changes for a project.
This commit is contained in:
Thomas Keller 2011-01-18 15:43:35 +01:00
parent caac979263
commit 74baebde96
2 changed files with 46 additions and 4 deletions

View File

@ -187,10 +187,11 @@ Remote commands can be helpful for a user or a 3rd party tool (like
contents remotely without having to pull everything in first instance.
Private projects on the other hand can only be synced by team members
or additional invited people. Remote command execution is still enabled
by default - if you want to disable that, simply remove the symlink to
the file `indefero_authorize_remote_automate.conf` in your project's `hooks.d`
directory or copy the file from the original location and adapt it.
or additional invited people. Remote command execution is disabled
by default. If you want to enable that, simply put the keys of the users
you want to give access to in your project's `remote-automate-permissions`
file. In the future this plugin might handle this file just as it handles
`read-permissions` and `write-permissions`.
## Notifications

View File

@ -117,6 +117,12 @@ class IDF_Plugin_SyncMonotone
'hooks.d/indefero_post_push.conf.in',
'hooks.d/indefero_post_push.lua',
);
if (!$project->private) {
// this is linked and not copied to be able to update
// the list of read-only commands on upgrades
$confdir_contents[] = 'hooks.d/indefero_authorize_remote_automate.conf';
}
// check whether we should handle additional files in the config directory
$confdir_extra_contents = Pluf::f('mtn_confdir_extra', false);
if ($confdir_extra_contents !== false) {
@ -383,6 +389,41 @@ class IDF_Plugin_SyncMonotone
__('Could not write read-permissions file "%s"'), $rcfile
));
}
// link / unlink the read-only automate permissions for the project
$confdir = Pluf::f('mtn_confdir', false);
if ($confdir === false) {
$confdir = dirname(__FILE__).'/SyncMonotone/';
}
$file = 'hooks.d/indefero_authorize_remote_automate.conf';
$projectfile = $projectpath.'/'.$file;
$templatefile = $confdir.'/'.$file;
$serverRestartRequired = false;
if ($project->private && file_exists($projectfile) && is_link($projectfile)) {
if (!unlink($projectfile)) {
IDF_Scm_Exception(sprintf(
__('Could not remove symlink "%s"'), $projectfile
));
}
$serverRestartRequired = true;
} else
if (!$project->private && !file_exists($projectfile)) {
if (!symlink($templatefile, $projectfile)) {
throw new IDF_Scm_Exception(sprintf(
__('Could not create symlink "%s"'), $projectfile
));
}
$serverRestartRequired = true;
}
if ($serverRestartRequired) {
// FIXME: we should actually use stopServer() here, but this
// seems to be ignored when the server should be started
// again immediately afterwards
IDF_Scm_Monotone_Usher::killServer($project->shortname);
IDF_Scm_Monotone_Usher::startServer($project->shortname);
}
}
/**