3 # Currently, we just confine the mob user to the mob branch here.
5 # TODO: Generalized branches push permissions support.
9 if ! [ -x /usr
/bin
/perl
]; then
10 # We are INSIDE the chroot
12 reporoot
=/@jailreporoot@
15 proj
="$(pwd)"; proj
="${proj#$reporoot/}"
17 case "$proj" in *?
/mob
)
21 projbare
="${proj%.git}"
23 if ! [ -f "$reporoot/$proj/.nofetch" ]; then
24 echo "The $proj project is a mirror and may not be pushed to, sorry" >&2
28 if [ -n "$mobdir" -a "$mob" != "mob" ]; then
29 # Should only get here if there's a misconfiguration
30 echo "Personal mob branches are not supported" >&2
33 if [ -n "$mobdir" -a "$LOGNAME" = "mob" ]; then
34 # Should only get here if there's a misconfiguration
35 echo "The mob user may not use personal mob branches" >&2
38 if [ -n "$mobdir" -a ! -d "$reporoot/$proj/mob" ]; then
39 # Should only get here if there's a misconfiguration
40 echo "The project '$proj' does not support personal mob branches" >&2
43 if [ -n "$mobdir" ] && ! can_user_push
"$projbare" mob
; then
44 # Should only get here if there's a misconfiguration
45 echo "The user 'mob' does not have push permissions for project '$proj'" >&2
46 echo "You may adjust push permissions at $webadmurl/editproj.cgi?name=$proj" >&2
49 if [ -n "$mobdir" ]; then
50 # All personal mob refs must start with refs/heads/mob.$USER,
51 # refs/heads/mob_$USER/, refs/mob/mob.$USER or refs/mob/mob_$USER/
53 "refs/heads/mob.$LOGNAME" | \
54 "refs/heads/mob_$LOGNAME/"?
* | \
55 "refs/mob/mob.$LOGNAME" | \
56 "refs/mob/mob_$LOGNAME/"?
* ) :;;
58 echo "The user '$LOGNAME' does not have push permissions for project '$proj'." >&2
59 echo "However '$proj' allows pushes to personal mob branches w/o push perms." >&2
60 echo "The ref '$1' is not a valid personal mob branch ref name." >&2
61 echo "Valid personal mob branch ref names are one of the following:" >&2
62 echo " refs/heads/mob.$LOGNAME or refs/mob/mob.$LOGNAME" >&2
63 echo "or refs that start with one of the following:" >&2
64 echo " refs/heads/mob_$LOGNAME/ or refs/mob/mob_$LOGNAME/" >&2
65 echo "No other personal mob branch ref names may be pushed to, sorry." >&2
66 echo "You may adjust push permissions at $webadmurl/editproj.cgi?name=$proj" >&2
72 if ! can_user_push
"$projbare"; then
73 echo "The user '$LOGNAME' does not have push permissions for project '$proj'" >&2
74 echo "You may adjust push permissions at $webadmurl/editproj.cgi?name=$proj" >&2
78 if [ "$mob" = "mob" -a "$LOGNAME" = "mob" ]; then
79 if [ x
"$1" != x
"refs/heads/mob" ]; then
80 echo "The mob user may push only to the 'mob' branch, sorry" >&2
83 if [ x
"$2" = x
"0000000000000000000000000000000000000000" ]; then
84 echo "The mob user may not _create_ the 'mob' branch, sorry" >&2
87 if [ x
"$3" = x
"0000000000000000000000000000000000000000" ]; then
88 echo "The mob user may not _delete_ the 'mob' branch, smch, sorry"
93 if [ "$mob" = "mob" ]; then
95 "refs/heads/mob."?
* |
"refs/heads/mob_"?
*)
96 echo "Use of the ref '$1' is reserved for personal mob branch" >&2
97 echo "users who do not have push permission to project '$proj'." >&2
98 echo "Users with push permission may only access the personal" >&2
99 echo "mob branches using refs that start with 'refs/mob/'." >&2
107 # We are NOT inside the chroot
111 if [ "$cfg_permission_control" = "Hooks" ]; then
112 # We have some permission control to do!
113 proj
="$(pwd)"; proj
="${proj#$cfg_reporoot/}"; projbare
="${proj%.git}"
114 # XXX: Sanity check on project name and $USER here? Seems superfluous.
115 if ! perl
-I@basedir@
-MGirocco::Project
-e 'exit(1) unless Girocco::Project->load("'$projbare'")->can_user_push("'$USER'")'; then
116 echo "The user '$USER' does not have push permissions for project '$proj'" >&2
117 echo "You may adjust push permissions at $cfg_webadmurl/editproj.cgi?name=$proj" >&2
122 if [ -n "$GIT_PROJECT_ROOT" ]; then
123 # We are doing a smart HTTP push
125 proj
="$(pwd)"; proj
="${proj#$cfg_reporoot/}"
127 case "$proj" in *?
/mob
)
131 projbare
="${proj%.git}"
133 if ! [ -f "$cfg_reporoot/$proj/.nofetch" ]; then
134 echo "The $proj project is a mirror and may not be pushed to, sorry" >&2
138 authuser
="${REMOTE_USER#/UID=}"
139 authuuid
="${authuser}"
140 authuser
="${authuser%/dnQualifier=*}"
141 authuuid
="${authuuid#$authuser}"
142 authuuid
="${authuuid#/dnQualifier=}"
143 if [ -z "$authuser" ]; then
144 echo "Only authenticated users may push, sorry" >&2
148 if [ -n "$mobdir" -a "$cfg_mob" != "mob" ]; then
149 # Should only get here if there's a misconfiguration
150 echo "Personal mob branches are not supported" >&2
153 if [ -n "$mobdir" -a "$authuser" = "mob" ]; then
154 # Should only get here if there's a misconfiguration
155 echo "The mob user may not use personal mob branches" >&2
158 if [ -n "$mobdir" -a ! -d "$cfg_reporoot/$proj/mob" ]; then
159 # Should only get here if there's a misconfiguration
160 echo "The project '$proj' does not support personal mob branches" >&2
163 if [ -n "$mobdir" ] && ! perl
-I@basedir@
-MGirocco::Project
-e 'exit(1) unless Girocco::Project->load("'$projbare'")->can_user_push("'mob
'")'; then
164 # Should only get here if there's a misconfiguration
165 echo "The user 'mob' does not have push permissions for project '$proj'" >&2
166 echo "You may adjust push permissions at $cfg_webadmurl/editproj.cgi?name=$proj" >&2
169 if [ -n "$mobdir" ]; then
170 # All personal mob refs must start with refs/heads/mob.$USER,
171 # refs/heads/mob_$USER/, refs/mob/mob.$USER or refs/mob/mob_$USER/
173 "refs/heads/mob.$authuser" | \
174 "refs/heads/mob_$authuser/"?
* | \
175 "refs/mob/mob.$authuser" | \
176 "refs/mob/mob_$authuser/"?
* ) :;;
178 echo "The user '$authuser' does not have push permissions for project '$proj'." >&2
179 echo "However '$proj' allows pushes to personal mob branches w/o push perms." >&2
180 echo "The ref '$1' is not a valid personal mob branch ref name." >&2
181 echo "Valid personal mob branch ref names are one of the following:" >&2
182 echo " refs/heads/mob.$authuser or refs/mob/mob.$authuser" >&2
183 echo "or refs that start with one of the following:" >&2
184 echo " refs/heads/mob_$authuser/ or refs/mob/mob_$authuser/" >&2
185 echo "No other personal mob branch ref names may be pushed to, sorry." >&2
186 echo "You may adjust push permissions at $cfg_webadmurl/editproj.cgi?name=$proj" >&2
192 if perl
-I@basedir@
-MGirocco::Project
-MGirocco::User
<<EOT; then :; else
193 my \$p = Girocco::Project->load('$projbare');
194 exit 1 unless \$p && \$p->can_user_push('$authuser');
195 exit 0 if \$Girocco::Config::mob eq 'mob' && '$authuser' eq 'mob';
196 my \$u = Girocco::User->load('$authuser');
197 exit 2 unless \$u && \$u->{uuid} eq '$authuuid';
200 if [ $?
-eq 2 ]; then
201 echo "The user '$authuser' certificate being used is no longer valid." \
202 echo "You may download a new user certificate at $cfg_webadmurl/edituser.cgi"
204 echo "The user '$authuser' does not have push permissions for project '$proj'" >&2
205 echo "You may adjust push permissions at $cfg_webadmurl/editproj.cgi?name=$proj" >&2
210 if [ "$cfg_mob" = "mob" -a "$authuser" = "mob" ]; then
211 if [ x
"$1" != x
"refs/heads/mob" ]; then
212 echo "The mob user may push only to the 'mob' branch, sorry" >&2
215 if [ x
"$2" = x
"0000000000000000000000000000000000000000" ]; then
216 echo "The mob user may not _create_ the 'mob' branch, sorry" >&2
219 if [ x
"$3" = x
"0000000000000000000000000000000000000000" ]; then
220 echo "The mob user may not _delete_ the 'mob' branch, smch, sorry"
225 if [ "$cfg_mob" = "mob" ]; then
227 "refs/heads/mob."?
* |
"refs/heads/mob_"?
*)
228 echo "Use of the ref '$1' is reserved for personal mob branch" >&2
229 echo "users who do not have push permission to project '$proj'." >&2
230 echo "Users with push permission may only access the personal" >&2
231 echo "mob branches using refs that start with 'refs/mob/'." >&2
