natalie/indefero
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

I changed my mind: remote automate access should be prevented for

Browse Source 
private projects and we should also take care that the symlink that
enables it is dynamically created / removed when the private flag
changes for a project.
This commit is contained in:
Thomas Keller 2011-01-18 15:43:35 +01:00
parent caac979263
commit 74baebde96
2 changed files with 46 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
doc/syncmonotone.mdtext
View File

@ -187,10 +187,11 @@ Remote commands can be helpful for a user or a 3rd party tool (like
contents remotely without having to pull everything in first instance. contents remotely without having to pull everything in first instance.
Private projects on the other hand can only be synced by team members Private projects on the other hand can only be synced by team members
or additional invited people. Remote command execution is still enabled or additional invited people. Remote command execution is disabled
by default - if you want to disable that, simply remove the symlink to by default. If you want to enable that, simply put the keys of the users
the file `indefero_authorize_remote_automate.conf` in your project's `hooks.d` you want to give access to in your project's `remote-automate-permissions`
directory or copy the file from the original location and adapt it. file. In the future this plugin might handle this file just as it handles
`read-permissions` and `write-permissions`.
## Notifications ## Notifications

41
src/IDF/Plugin/SyncMonotone.php
View File

@ -117,6 +117,12 @@ class IDF_Plugin_SyncMonotone
'hooks.d/indefero_post_push.conf.in', 'hooks.d/indefero_post_push.conf.in',
'hooks.d/indefero_post_push.lua', 'hooks.d/indefero_post_push.lua',
); );
if (!$project->private) {
// this is linked and not copied to be able to update
// the list of read-only commands on upgrades
$confdir_contents[] = 'hooks.d/indefero_authorize_remote_automate.conf';
}
// check whether we should handle additional files in the config directory // check whether we should handle additional files in the config directory
$confdir_extra_contents = Pluf::f('mtn_confdir_extra', false); $confdir_extra_contents = Pluf::f('mtn_confdir_extra', false);
if ($confdir_extra_contents !== false) { if ($confdir_extra_contents !== false) {
@ -383,6 +389,41 @@ class IDF_Plugin_SyncMonotone
__('Could not write read-permissions file "%s"'), $rcfile __('Could not write read-permissions file "%s"'), $rcfile
)); ));
} }
// link / unlink the read-only automate permissions for the project
$confdir = Pluf::f('mtn_confdir', false);
if ($confdir === false) {
$confdir = dirname(__FILE__).'/SyncMonotone/';
}
$file = 'hooks.d/indefero_authorize_remote_automate.conf';
$projectfile = $projectpath.'/'.$file;
$templatefile = $confdir.'/'.$file;
$serverRestartRequired = false;
if ($project->private && file_exists($projectfile) && is_link($projectfile)) {
if (!unlink($projectfile)) {
IDF_Scm_Exception(sprintf(
__('Could not remove symlink "%s"'), $projectfile
));
}
$serverRestartRequired = true;
} else
if (!$project->private && !file_exists($projectfile)) {
if (!symlink($templatefile, $projectfile)) {
throw new IDF_Scm_Exception(sprintf(
__('Could not create symlink "%s"'), $projectfile
));
}
$serverRestartRequired = true;
}
if ($serverRestartRequired) {
// FIXME: we should actually use stopServer() here, but this
// seems to be ignored when the server should be started
// again immediately afterwards
IDF_Scm_Monotone_Usher::killServer($project->shortname);
IDF_Scm_Monotone_Usher::startServer($project->shortname);
}
} }
/** /**