~edwargix/git.sr.ht

aee9fc794ba8f94fdec68c4fb3f200d12c05bc2f — Drew DeVault 8 years ago abae60c 
Add check for repository ownership
patch browse .tar.gz 
3 files changed, 19 insertions(+), 11 deletions(-)

M git-srht-keys
M gitsrht/blueprints/manage.py
M gitsrht/types/repository.py

M git-srht-keys => git-srht-keys +12 -1
@@ 104,7 104,7 @@ def shell():

    from srht.database import DbSession
    db = DbSession(cfg("sr.ht", "connection-string"))
    from gitsrht.types import User
    from gitsrht.types import User, Repository
    db.init()

    user = User.query.filter(User.id == user_id).first()


@@ 126,6 126,17 @@ def shell():
        sys.exit(128)
    cmd[-1] = path
    _cmd = " ".join(shlex.quote(arg) for arg in cmd)

    repo = Repository.query.filter(Repository.path == path).first()
    if not repo:
        sys.stderr.write("Unknown repository")
        sys.exit(128)
    
    if user.id != repo.owner_id:
        # TODO: ACLs
        sys.stderr.write("Access denied")
        sys.exit(128)

    log("Executing {}", _cmd)
    if _log:
        _log.close()


M gitsrht/blueprints/manage.py => gitsrht/blueprints/manage.py +6 -10
@@ 51,22 51,18 @@ def create():
    repo.description = description
    repo.owner_id = current_user.id
    repo.visibility = RepoVisibility[visibility]
    repo.path = os.path.join(repos_path, "~" + current_user.username)
    db.session.add(repo)

    path = os.path.join(repos_path, "~" + current_user.username)

    subprocess.run(["mkdir", "-p", path])
    subprocess.run(["git", "init", "--bare", repo_name], cwd=path)
    subprocess.run(["ln", "-s", repo_name, repo_name + ".git"], cwd=path)

    # TODO: other shit, probably, like setting up hooks
    subprocess.run(["mkdir", "-p", repo.path])
    subprocess.run(["git", "init", "--bare", repo_name], cwd=repo.path)
    subprocess.run(["ln", "-s", repo_name, repo_name + ".git"], cwd=repo.path)

    db.session.commit()

    subprocess.run(["git", "config", "srht.repo-id", str(repo.id)],
            cwd=os.path.join(path, repo_name))
    subprocess.run(["git", "config", "srht.repo-id", str(repo.id)], cwd=repo.path)
    hook_src = os.path.join(os.path.dirname(__file__), "..", "..", "hooks", "update")
    shutil.copy(hook_src, os.path.join(path, repo_name, "hooks", "update"))
    shutil.copy(hook_src, os.path.join(repo.path, "hooks", "update"))

    if another == "on":
        return redirect("/manage?another")


M gitsrht/types/repository.py => gitsrht/types/repository.py +1 -0
@@ 17,6 17,7 @@ class Repository(Base):
    description = sa.Column(sa.Unicode(1024))
    owner_id = sa.Column(sa.Integer, sa.ForeignKey('user.id'), nullable=False)
    owner = sa.orm.relationship('User', backref=sa.orm.backref('repos'))
    path = sa.Column(sa.Unicode(1024))
    visibility = sa.Column(
            sau.ChoiceType(RepoVisibility, impl=sa.String()),
            nullable=False,