I changed my mind: remote automate access should be prevented for

private projects and we should also take care that the symlink that enables it is dynamically created / removed when the private flag changes for a project.
2011-01-18 15:43:35 +01:00
parent caac979263
commit 74baebde96
2 changed files with 46 additions and 4 deletions
--- a/src/IDF/Plugin/SyncMonotone.php
+++ b/src/IDF/Plugin/SyncMonotone.php
@@ -117,6 +117,12 @@ class IDF_Plugin_SyncMonotone
             'hooks.d/indefero_post_push.conf.in',
             'hooks.d/indefero_post_push.lua',
        );
+        if (!$project->private) {
+            // this is linked and not copied to be able to update
+            // the list of read-only commands on upgrades
+            $confdir_contents[] = 'hooks.d/indefero_authorize_remote_automate.conf';
+        }
+
        // check whether we should handle additional files in the config directory
        $confdir_extra_contents = Pluf::f('mtn_confdir_extra', false);
        if ($confdir_extra_contents !== false) {
@@ -383,6 +389,41 @@ class IDF_Plugin_SyncMonotone
                __('Could not write read-permissions file "%s"'), $rcfile
            ));
        }
+
+        // link / unlink the read-only automate permissions for the project
+        $confdir = Pluf::f('mtn_confdir', false);
+        if ($confdir === false) {
+            $confdir = dirname(__FILE__).'/SyncMonotone/';
+        }
+        $file = 'hooks.d/indefero_authorize_remote_automate.conf';
+        $projectfile = $projectpath.'/'.$file;
+        $templatefile = $confdir.'/'.$file;
+
+        $serverRestartRequired = false;
+        if ($project->private && file_exists($projectfile) && is_link($projectfile)) {
+            if (!unlink($projectfile)) {
+                IDF_Scm_Exception(sprintf(
+                    __('Could not remove symlink "%s"'), $projectfile
+                ));
+            }
+            $serverRestartRequired = true;
+        } else
+        if (!$project->private && !file_exists($projectfile)) {
+            if (!symlink($templatefile, $projectfile)) {
+                throw new IDF_Scm_Exception(sprintf(
+                    __('Could not create symlink "%s"'), $projectfile
+                ));
+            }
+            $serverRestartRequired = true;
+        }
+
+        if ($serverRestartRequired) {
+            // FIXME: we should actually use stopServer() here, but this
+            // seems to be ignored when the server should be started
+            // again immediately afterwards
+            IDF_Scm_Monotone_Usher::killServer($project->shortname);
+            IDF_Scm_Monotone_Usher::startServer($project->shortname);
+        }
    }

    /**