From mboxrd@z Thu Jan 1 00:00:00 1970 From: valentin.haenel at gmx.de (Valentin Haenel) Date: Tue, 16 Oct 2012 11:17:44 +0200 Subject: [PATCH 2/3] Add ability to authorize viewing a repository using In-Reply-To: <1350378927-10834-4-git-send-email-valentin.haenel@gmx.de> References: <1350378927-10834-1-git-send-email-valentin.haenel@gmx.de> <1350378927-10834-4-git-send-email-valentin.haenel@gmx.de> Message-ID: <20121016091744.GJ26844@kudu.in-berlin.de> You can ignore this one, sorry. * Valentin Haenel [2012-10-16]: > This provides a mechanism for cgit to query an external program for repository > authorisation. An additional config variable 'authorization' is > --- > cgit.c | 24 ++++++++++++++++++++++++ > cgit.h | 1 + > cgitrc.5.txt | 6 ++++++ > 3 files changed, 31 insertions(+) > > diff --git a/cgit.c b/cgit.c > index 101954e12a..f06528215d 100644 > --- a/cgit.c > +++ b/cgit.c > @@ -123,6 +123,8 @@ void config_cb(const char *name, const char *value) > ctx.cfg.readme = xstrdup(value); > else if (!strcmp(name, "user-envvar")) > ctx.cfg.user_envvar = xstrdup(value); > + else if (!strcmp(name, "authorization")) > + ctx.cfg.authorization = xstrdup(value); > else if (!strcmp(name, "root-title")) > ctx.cfg.root_title = xstrdup(value); > else if (!strcmp(name, "root-desc")) > @@ -372,6 +374,7 @@ static void prepare_context(struct cgit_context *ctx) > ctx->cfg.summary_tags = 10; > ctx->cfg.max_atom_items = 10; > ctx->cfg.ssdiff = 0; > + ctx->cfg.authorization = "/bin/true"; > ctx->cfg.user_envvar = "REMOTE_USER"; > ctx->env.cgit_config = xstrdupn(getenv("CGIT_CONFIG")); > ctx->env.http_host = xstrdupn(getenv("HTTP_HOST")); > @@ -545,6 +548,27 @@ static void process_request(void *cbdata) > return; > } > > + /* Here we do the authorization check. > + * > + * TODO > + * ---- > + * * figure out if this is the correct place to do the check > + * * check that the authorization script exists and is executable > + * > + */ > + if (ctx->repo && system(fmt("%s %s %s", > + ctx->cfg.authorization, > + ctx->repo->name, > + ctx->env.remote_user)) != 0) { > + cgit_print_http_headers(ctx); > + cgit_print_docstart(ctx); > + cgit_print_pageheader(ctx); > + cgit_print_error(fmt("Authorization failed for repo: '%s' and user: '%s'", > + ctx->repo->name, ctx->env.remote_user)); > + cgit_print_docend(); > + exit(1); > + } > + > if (ctx->repo && prepare_repo_cmd(ctx)) > return; > > diff --git a/cgit.h b/cgit.h > index 369dd8af8b..43f4f562f3 100644 > --- a/cgit.h > +++ b/cgit.h > @@ -166,6 +166,7 @@ struct cgit_query { > struct cgit_config { > char *agefile; > char *user_envvar; > + char *authorization; > char *cache_root; > char *clone_prefix; > char *clone_url; > diff --git a/cgitrc.5.txt b/cgitrc.5.txt > index cd7327a4b3..d864289502 100644 > --- a/cgitrc.5.txt > +++ b/cgitrc.5.txt > @@ -40,6 +40,12 @@ agefile:: > function in libgit. Recommended timestamp-format is "yyyy-mm-dd > hh:mm:ss". Default value: "info/web/last-modified". > > +authorization:: > + Specifies a path to authorization executable. The executable must take two > + arguments: " []". The permission is the > + type of permission we wish to check for, e.g. "R" or "RW" or "RW+". A > + common use case is to call gitolite through this machinery. > + > cache-root:: > Path used to store the cgit cache entries. Default value: > "/var/cache/cgit". See also: "MACRO EXPANSION". > -- > 1.7.9.5 >