3 # Currently, we just confine the mob user to the mob branch here.
5 # TODO: Generalized branches push permissions support.
9 if ! [ -x /usr
/bin
/perl
]; then
10 # We are INSIDE the chroot
12 reporoot
=/@jailreporoot@
15 proj
="$(pwd)"; proj
="${proj#$reporoot/}"; projbare
="${proj%.git}"
17 if ! [ -f .nofetch
]; then
18 echo "The $proj project is a mirror and may not be pushed to, sorry" >&2
22 if ! can_user_push
"$projbare"; then
23 echo "The user '$LOGNAME' does not have push permissions for project '$proj'" >&2
24 echo "You may adjust push permissions at $webadmurl/editproj.cgi?name=$proj" >&2
28 if [ "$mob" = "mob" -a "$LOGNAME" = "mob" ]; then
29 if [ x
"$1" != x
"refs/heads/mob" ]; then
30 echo "The mob user may push only to the 'mob' branch, sorry" >&2
33 if [ x
"$2" = x
"0000000000000000000000000000000000000000" ]; then
34 echo "The mob user may not _create_ the 'mob' branch, sorry" >&2
37 if [ x
"$3" = x
"0000000000000000000000000000000000000000" ]; then
38 echo "The mob user may not _delete_ the 'mob' branch, smch, sorry"
46 # We are NOT inside the chroot
50 if [ "$cfg_permission_control" = "Hooks" ]; then
51 # We have some permission control to do!
52 proj
="$(pwd)"; proj
="${proj#$cfg_reporoot/}"; projbare
="${proj%.git}"
53 # XXX: Sanity check on project name and $USER here? Seems superfluous.
54 if ! perl
-I@basedir@
-MGirocco::Project
-e 'exit(1) unless Girocco::Project->load("'$projbare'")->can_user_push("'$USER'")'; then
55 echo "The user '$USER' does not have push permissions for project '$proj'" >&2
56 echo "You may adjust push permissions at $cfg_webadmurl/editproj.cgi?name=$proj" >&2
61 if [ -n "$GIT_PROJECT_ROOT" ]; then
62 # We are doing a smart HTTP push
64 proj
="$(pwd)"; proj
="${proj#$cfg_reporoot/}"; projbare
="${proj%.git}"
66 if ! [ -f .nofetch
]; then
67 echo "The $proj project is a mirror and may not be pushed to, sorry" >&2
71 authuser
="${REMOTE_USER#/UID=}"
72 authuuid
="${authuser}"
73 authuser
="${authuser%/dnQualifier=*}"
74 authuuid
="${authuuid#$authuser}"
75 authuuid
="${authuuid#/dnQualifier=}"
76 if [ -z "$authuser" ]; then
77 echo "Only authenticated users may push, sorry" >&2
81 if perl
-I@basedir@
-MGirocco::Project
-MGirocco::User
<<EOT; then :; else
82 my \$p = Girocco::Project->load('$projbare');
83 exit 1 unless \$p && \$p->can_user_push('$authuser');
84 exit 0 if \$Girocco::Config::mob eq 'mob' && '$authuser' eq 'mob';
85 my \$u = Girocco::User->load('$authuser');
86 exit 2 unless \$u && \$u->{uuid} eq '$authuuid';
90 echo "The user '$authuser' certificate being used is no longer valid." \
91 echo "You may download a new user certificate at $cfg_webadmurl/edituser.cgi"
93 echo "The user '$authuser' does not have push permissions for project '$proj'" >&2
94 echo "You may adjust push permissions at $cfg_webadmurl/editproj.cgi?name=$proj" >&2
99 if [ "$cfg_mob" = "mob" -a "$authuser" = "mob" ]; then
100 if [ x
"$1" != x
"refs/heads/mob" ]; then
101 echo "The mob user may push only to the 'mob' branch, sorry" >&2
104 if [ x
"$2" = x
"0000000000000000000000000000000000000000" ]; then
105 echo "The mob user may not _create_ the 'mob' branch, sorry" >&2
108 if [ x
"$3" = x
"0000000000000000000000000000000000000000" ]; then
109 echo "The mob user may not _delete_ the 'mob' branch, smch, sorry"