[cvsnt] Re: Any possibility to control branch acl on aper-filelevel using a "cvs chacl" -like command?

Kim Hansen kha at mita-teknik.com
Fri Aug 13 00:58:43 BST 2004 

Hi Glen, John and Tony

I ended up implementing the commitinfo script in Perl (my first), and it works like a charm, thanks!

Just in case anyone else wants to implement a similar cvs chacl - like feature using the commitinfo hook I have some sample code here, which I guess can be adjusted quite easily for other needs or tasks:

######################################################################
# 
# UsersAllowedHeadCommit.pl
#
# Precommit script to restrict access for commits to head 
# for specific files for all users except especilally priviledged ones.
#
# Must be called from commitinfo with the following arguments: 
#
# ARGV[0] = Current User
# ARGV[1] = Colon seperated list of priviledged users
# ARGV[2..n-1] = List of files in Module to restrict head commits on
# ARGV[n] = Module (automatically passed as the last arg by cvsnt)
#
# $Id: UsersAllowedHeadCommit.pl,v 1.25 2004/08/12 23:34:41 kha Exp $
#
######################################################################

# Eat the first two left-hand args.
$currentuser     = shift(@ARGV);
@allowedusers    = split(/:/,shift(@ARGV));
# The right most is the module
$module          = pop(@ARGV);
# The remaining args are the list of files
@restrictedfiles = @ARGV;
@committedfiles  = <STDIN>;
# Trim line feeds, superfluous spaces etc..
foreach (@committedfiles) 
{
	chomp($_);
}

# Check if the list of committed files contains any of the restricted files.
# If yes, generate a list of files to cehck afterwards.
# If no, allow the commit.
$restrictedfound=0;
foreach $committedfile (@committedfiles)
{
	foreach (@restrictedfiles)
	{
		if ($_ eq $committedfile)
		{
			$restrictedfound = 1;
			push(@filestocheck, $committedfile);
		}
		last if (@restrictedfound)
	}
}
if (!$restrictedfound)
{
#	print "None of the commited files were restricted to commits on head. Proceed!\n";
	exit(0);
}

# Load the CVS/Entries (which is a temp copy residing on the server at this stage)
# Go through the list and compare it with the files to check. If a match is found,
# check, if the commit attempt is done on the main branch. If that is so add the file to
# a list of restricted files on which commits to head is attempted.
$comittingonhead=0;
$ENTRIES = 'CVS/Entries';
open(ENTRIES, $ENTRIES) || die("Cannot open $ENTRIES.\n");
while (<ENTRIES>) {
  chomp;
  # /file/ver/timestamp/options/tag_or_date
  my($filename, $version,$ts,$opt,$tag) = split('/', substr($_, 1));
  foreach (@filestocheck)
  {
  	if ($filename eq $_)
  	{
  		if ($tag eq '')
  		{
  			$committingonhead = 1;
  			push(@restrictedcommittingonhead,$filename);
  		}
  	}
  }
}
close(ENTRIES);

if (!$committingonhead) {
#	print "Commit attempts on the restricted file(s): @filestocheck are not done on main branch. Proceed!\n";
	exit(0);
}

#Check if current user is one of the allowed users.
#If yes, allow the commit of the restricted files on the main branch.
foreach (@allowedusers) 
{
	if ($currentuser eq $_)
	{
#		print "$currentuser is priviledged and may commit @restrictedcommittingonhead on head without further checks.\n";
		exit(0);
	}
}

# And finally, judgement day for the unlucky...

print "You have tried to commit the restricted file(s): @restrictedcommittingonhead on the main branch.\n";
print "Only the priviledged user(s): @allowedusers are allowed to do this.\n";
print "Contact this user/these users to resolve the problem, or convince your release manager";
print " that you should be granted the same priviledges (cf. CVSROOT/commitinfo).\n";

exit(1);

Cheers,

Kim

-----Oprindelig meddelelse-----
Fra: cvsnt-bounces at cvsnt.org [mailto:cvsnt-bounces at cvsnt.org]På vegne af
Kim Hansen
Sendt: 12. august 2004 21:20
Til: cvsnt at cvsnt.org
Emne: Re: [cvsnt] Re: Any possibility to control branch acl on
aper-filelevel using a "cvs chacl" -like command?


John Kinson wrote:
>You're right Glen, the commitinfo hook could be used for this.  The 
>script is invoked with the first parameter containing 
>"/repository/module[/subdirectory/...]", and a list of files being 
>committed within that directory is supplied on stdin.
>
>Kim, you need to write a commitinfo script as discussed in the cvsnt 
>documentation that checks whether the CVS_USER environment variable 
>matches one of your two authorised users, and if not, checks whether the 
>restricted files are present in the supplied data.  If they are, then 
>your script should return a non-zero value to prevent the commit from 
>proceding, and return 0 otherwise.

I still can't get this right.... For testing purposes I have tried to insert a 
line like this in commitinfo:

Testmodules/kha/testacl AllowCommitOnHead -user:$USER -allowedusers:kha -restrictedfiles:OnlyKHACommitOnHead.txt

where the cmd line arguments are some I parse to the AllowCommitOnHead batch file, which use the arguemnts to determine whether a commit is allowed. In addition to these arguments,
cvsnt adds the module, that is Testmodules/kha/testacl to the script, but how do I get hold of the list of files that are being committed to that folder? 

I need those as weel in the script. 

As John wrote, these files are supplied on stdin, but how do I parse that to the script as an additional argument?

Had it only been in a file like loginfo, where %s, could have been used easily.....

Cheers,

Kim
_______________________________________________
cvsnt mailing list
cvsnt at cvsnt.org
http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt

More information about the cvsnt mailing list