From 74baebde96b453039018025bbb95f2b60a93914f Mon Sep 17 00:00:00 2001 From: Thomas Keller Date: Tue, 18 Jan 2011 15:43:35 +0100 Subject: [PATCH] I changed my mind: remote automate access should be prevented for private projects and we should also take care that the symlink that enables it is dynamically created / removed when the private flag changes for a project. --- doc/syncmonotone.mdtext | 9 ++++---- src/IDF/Plugin/SyncMonotone.php | 41 +++++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+), 4 deletions(-) diff --git a/doc/syncmonotone.mdtext b/doc/syncmonotone.mdtext index c21a325..4a25b50 100644 --- a/doc/syncmonotone.mdtext +++ b/doc/syncmonotone.mdtext @@ -187,10 +187,11 @@ Remote commands can be helpful for a user or a 3rd party tool (like contents remotely without having to pull everything in first instance. Private projects on the other hand can only be synced by team members -or additional invited people. Remote command execution is still enabled -by default - if you want to disable that, simply remove the symlink to -the file `indefero_authorize_remote_automate.conf` in your project's `hooks.d` -directory or copy the file from the original location and adapt it. +or additional invited people. Remote command execution is disabled +by default. If you want to enable that, simply put the keys of the users +you want to give access to in your project's `remote-automate-permissions` +file. In the future this plugin might handle this file just as it handles +`read-permissions` and `write-permissions`. ## Notifications diff --git a/src/IDF/Plugin/SyncMonotone.php b/src/IDF/Plugin/SyncMonotone.php index f75f530..bc12e2a 100644 --- a/src/IDF/Plugin/SyncMonotone.php +++ b/src/IDF/Plugin/SyncMonotone.php @@ -117,6 +117,12 @@ class IDF_Plugin_SyncMonotone 'hooks.d/indefero_post_push.conf.in', 'hooks.d/indefero_post_push.lua', ); + if (!$project->private) { + // this is linked and not copied to be able to update + // the list of read-only commands on upgrades + $confdir_contents[] = 'hooks.d/indefero_authorize_remote_automate.conf'; + } + // check whether we should handle additional files in the config directory $confdir_extra_contents = Pluf::f('mtn_confdir_extra', false); if ($confdir_extra_contents !== false) { @@ -383,6 +389,41 @@ class IDF_Plugin_SyncMonotone __('Could not write read-permissions file "%s"'), $rcfile )); } + + // link / unlink the read-only automate permissions for the project + $confdir = Pluf::f('mtn_confdir', false); + if ($confdir === false) { + $confdir = dirname(__FILE__).'/SyncMonotone/'; + } + $file = 'hooks.d/indefero_authorize_remote_automate.conf'; + $projectfile = $projectpath.'/'.$file; + $templatefile = $confdir.'/'.$file; + + $serverRestartRequired = false; + if ($project->private && file_exists($projectfile) && is_link($projectfile)) { + if (!unlink($projectfile)) { + IDF_Scm_Exception(sprintf( + __('Could not remove symlink "%s"'), $projectfile + )); + } + $serverRestartRequired = true; + } else + if (!$project->private && !file_exists($projectfile)) { + if (!symlink($templatefile, $projectfile)) { + throw new IDF_Scm_Exception(sprintf( + __('Could not create symlink "%s"'), $projectfile + )); + } + $serverRestartRequired = true; + } + + if ($serverRestartRequired) { + // FIXME: we should actually use stopServer() here, but this + // seems to be ignored when the server should be started + // again immediately afterwards + IDF_Scm_Monotone_Usher::killServer($project->shortname); + IDF_Scm_Monotone_Usher::startServer($project->shortname); + } } /**