3 # Currently, we just confine the mob user to the mob branch here.
5 # TODO: Generalized branches push permissions support.
9 if ! [ -x @perlbin@
]; then
10 # We are INSIDE the chroot
12 reporoot
=/@jailreporoot@
13 reporoot
="$(cd "$reporoot" && pwd -P)"
16 proj
="$(pwd -P)"; proj
="${proj#$reporoot/}"
18 case "$proj" in *?
/mob
)
22 projbare
="${proj%.git}"
24 if ! [ -f "$reporoot/$proj/.nofetch" ]; then
25 echo "The $proj project is a mirror and may not be pushed to, sorry" >&2
29 if [ -n "$mobdir" -a "$mob" != "mob" ]; then
30 # Should only get here if there's a misconfiguration
31 echo "Personal mob branches are not supported" >&2
34 if [ -n "$mobdir" -a "$LOGNAME" = "mob" ]; then
35 # Should only get here if there's a misconfiguration
36 echo "The mob user may not use personal mob branches" >&2
39 if [ -n "$mobdir" -a ! -d "$reporoot/$proj/mob" ]; then
40 # Should only get here if there's a misconfiguration
41 echo "The project '$proj' does not support personal mob branches" >&2
44 if [ -n "$mobdir" ] && ! can_user_push
"$projbare" mob
; then
45 # Should only get here if there's a misconfiguration
46 echo "The user 'mob' does not have push permissions for project '$proj'" >&2
47 echo "You may adjust push permissions at $webadmurl/editproj.cgi?name=$proj" >&2
50 if [ -n "$mobdir" ]; then
51 # All personal mob refs must start with refs/heads/mob.$USER,
52 # refs/heads/mob_$USER/, refs/mob/mob.$USER or refs/mob/mob_$USER/
54 "refs/heads/mob.$LOGNAME" | \
55 "refs/heads/mob_$LOGNAME/"?
* | \
56 "refs/mob/mob.$LOGNAME" | \
57 "refs/mob/mob_$LOGNAME/"?
* ) :;;
59 echo "The user '$LOGNAME' does not have push permissions for project '$proj'." >&2
60 echo "However '$proj' allows pushes to personal mob branches w/o push perms." >&2
61 echo "The ref '$1' is not a valid personal mob branch ref name." >&2
62 echo "Valid personal mob branch ref names are one of the following:" >&2
63 echo " refs/heads/mob.$LOGNAME or refs/mob/mob.$LOGNAME" >&2
64 echo "or refs that start with one of the following:" >&2
65 echo " refs/heads/mob_$LOGNAME/ or refs/mob/mob_$LOGNAME/" >&2
66 echo "No other personal mob branch ref names may be pushed to, sorry." >&2
67 echo "You may adjust push permissions at $webadmurl/editproj.cgi?name=$proj" >&2
73 if ! can_user_push
"$projbare"; then
74 echo "The user '$LOGNAME' does not have push permissions for project '$proj'" >&2
75 echo "You may adjust push permissions at $webadmurl/editproj.cgi?name=$proj" >&2
79 if [ "$mob" = "mob" -a "$LOGNAME" = "mob" ]; then
80 if [ x
"$1" != x
"refs/heads/mob" ]; then
81 echo "The mob user may push only to the 'mob' branch, sorry" >&2
84 if [ x
"$2" = x
"0000000000000000000000000000000000000000" ]; then
85 echo "The mob user may not _create_ the 'mob' branch, sorry" >&2
88 if [ x
"$3" = x
"0000000000000000000000000000000000000000" ]; then
89 echo "The mob user may not _delete_ the 'mob' branch, smch, sorry"
94 if [ "$mob" = "mob" ]; then
96 "refs/heads/mob."?
* |
"refs/heads/mob_"?
*)
97 echo "Use of the ref '$1' is reserved for personal mob branch" >&2
98 echo "users who do not have push permission to project '$proj'." >&2
99 echo "Users with push permission may only access the personal" >&2
100 echo "mob branches using refs that start with 'refs/mob/'." >&2
108 # We are NOT inside the chroot
111 reporoot
="$(cd "$cfg_reporoot" && pwd -P)"
113 if [ "$cfg_permission_control" = "Hooks" ]; then
114 # We have some permission control to do!
115 proj
="$(pwd -P)"; proj
="${proj#$reporoot/}"; projbare
="${proj%.git}"
116 # XXX: Sanity check on project name and $USER here? Seems superfluous.
117 if ! "$cfg_basedir/bin/can_user_push_http" "$projbare" "$USER"; then
118 echo "The user '$USER' does not have push permissions for project '$proj'" >&2
119 echo "You may adjust push permissions at $cfg_webadmurl/editproj.cgi?name=$proj" >&2
124 if [ -n "$GIT_PROJECT_ROOT" ]; then
125 # We are doing a smart HTTP push
127 proj
="$(pwd -P)"; proj
="${proj#$reporoot/}"
129 case "$proj" in *?
/mob
)
133 projbare
="${proj%.git}"
135 if ! [ -f "$reporoot/$proj/.nofetch" ]; then
136 echo "The $proj project is a mirror and may not be pushed to, sorry" >&2
140 authuser
="${REMOTE_USER#/UID=}"
141 authuuid
="${authuser}"
142 authuser
="${authuser%/dnQualifier=*}"
143 authuuid
="${authuuid#$authuser}"
144 authuuid
="${authuuid#/dnQualifier=}"
145 if [ -z "$authuser" ]; then
146 echo "Only authenticated users may push, sorry" >&2
149 if [ "$authuser" != "mob" -o "$cfg_mob" != "mob" ]; then
150 if ! useruuid
="$("$cfg_basedir/bin
/get_user_uuid
" "$authuser")" ||
[ "$useruuid" != "$authuuid" ]; then
151 echo "The user '$authuser' certificate being used is no longer valid."
152 echo "You may download a new user certificate at $cfg_webadmurl/edituser.cgi"
157 if [ -n "$mobdir" -a "$cfg_mob" != "mob" ]; then
158 # Should only get here if there's a misconfiguration
159 echo "Personal mob branches are not supported" >&2
162 if [ -n "$mobdir" -a "$authuser" = "mob" ]; then
163 # Should only get here if there's a misconfiguration
164 echo "The mob user may not use personal mob branches" >&2
167 if [ -n "$mobdir" -a ! -d "$reporoot/$proj/mob" ]; then
168 # Should only get here if there's a misconfiguration
169 echo "The project '$proj' does not support personal mob branches" >&2
172 if [ -n "$mobdir" ] && ! "$cfg_basedir/bin/can_user_push_http" "$projbare" "mob"; then
173 # Should only get here if there's a misconfiguration
174 echo "The user 'mob' does not have push permissions for project '$proj'" >&2
175 echo "You may adjust push permissions at $cfg_webadmurl/editproj.cgi?name=$proj" >&2
178 if [ -n "$mobdir" ]; then
179 # All personal mob refs must start with refs/heads/mob.$USER,
180 # refs/heads/mob_$USER/, refs/mob/mob.$USER or refs/mob/mob_$USER/
182 "refs/heads/mob.$authuser" | \
183 "refs/heads/mob_$authuser/"?
* | \
184 "refs/mob/mob.$authuser" | \
185 "refs/mob/mob_$authuser/"?
* ) :;;
187 echo "The user '$authuser' does not have push permissions for project '$proj'." >&2
188 echo "However '$proj' allows pushes to personal mob branches w/o push perms." >&2
189 echo "The ref '$1' is not a valid personal mob branch ref name." >&2
190 echo "Valid personal mob branch ref names are one of the following:" >&2
191 echo " refs/heads/mob.$authuser or refs/mob/mob.$authuser" >&2
192 echo "or refs that start with one of the following:" >&2
193 echo " refs/heads/mob_$authuser/ or refs/mob/mob_$authuser/" >&2
194 echo "No other personal mob branch ref names may be pushed to, sorry." >&2
195 echo "You may adjust push permissions at $cfg_webadmurl/editproj.cgi?name=$proj" >&2
201 if ! "$cfg_basedir/bin/can_user_push_http" "$projbare" "$authuser"; then
202 echo "The user '$authuser' does not have push permissions for project '$proj'" >&2
203 echo "You may adjust push permissions at $cfg_webadmurl/editproj.cgi?name=$proj" >&2
207 if [ "$cfg_mob" = "mob" -a "$authuser" = "mob" ]; then
208 if [ x
"$1" != x
"refs/heads/mob" ]; then
209 echo "The mob user may push only to the 'mob' branch, sorry" >&2
212 if [ x
"$2" = x
"0000000000000000000000000000000000000000" ]; then
213 echo "The mob user may not _create_ the 'mob' branch, sorry" >&2
216 if [ x
"$3" = x
"0000000000000000000000000000000000000000" ]; then
217 echo "The mob user may not _delete_ the 'mob' branch, smch, sorry"
222 if [ "$cfg_mob" = "mob" ]; then
224 "refs/heads/mob."?
* |
"refs/heads/mob_"?
*)
225 echo "Use of the ref '$1' is reserved for personal mob branch" >&2
226 echo "users who do not have push permission to project '$proj'." >&2
227 echo "Users with push permission may only access the personal" >&2
228 echo "mob branches using refs that start with 'refs/mob/'." >&2
