[Fusionforge-commits] FusionForge branch 6.0 updated. 875dcc88148919928ffb61bc82ad1eee1f5d5fd8

Sylvain Beucler beuc-inria at fusionforge.org
Fri Feb 20 16:11:03 CET 2015


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "FusionForge".

The branch, 6.0 has been updated
       via  875dcc88148919928ffb61bc82ad1eee1f5d5fd8 (commit)
       via  35e78b7b3351ed58680703b04a25b0061dbdad63 (commit)
      from  b47ee75c1eb4a39a8b2b35988f63e2fec59655b6 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 875dcc88148919928ffb61bc82ad1eee1f5d5fd8
Author: Sylvain Beucler <sylvain.beucler at inria.fr>
Date:   Fri Feb 20 16:08:57 2015 +0100

    scmsvn: stop generating svnroot-access
    - we rely on Unix privs thanks to ITK
    - we fixed the 'read-only' access using appropriate $project and scm_$project chown'ing
    - huge performance boost: no longer waiting 10-20 mn for the file to be generated on large instances

diff --git a/src/plugins/scmsvn/common/SVNPlugin.class.php b/src/plugins/scmsvn/common/SVNPlugin.class.php
index d401004..c975395 100644
--- a/src/plugins/scmsvn/common/SVNPlugin.class.php
+++ b/src/plugins/scmsvn/common/SVNPlugin.class.php
@@ -319,71 +319,21 @@ some control over it to the project's administrator.");
 	function updateRepositoryList(&$params) {
 		$groups = $this->getGroups();
 
+		# Reproduce nss_passwd on file, so we can work without mod_auth_pgsql2
+		$fname = forge_get_config('data_path').'/svnroot-authfile';
+		$f = fopen($fname.'.new', 'w');
+
+		# Enable /authscm/$user URLs
 		$config_fname = forge_get_config('data_path').'/scmsvn-auth.inc';
 		$config_f = fopen($config_fname.'.new', 'w');
 			
-		$access_data = '';
-		$password_data = '';
-		$engine = RBACEngine::getInstance() ;
-
-		$svnusers = array();
-		foreach ($groups as $project) {
-			if ( !$project->isActive()) {
-				continue;
-			}
-			if ( !$project->usesSCM()) {
-				continue;
-			}
-			$access_data .= '[' . $project->getUnixName() . ":/]\n";
-
-			$users = $engine->getUsersByAllowedAction('scm',$project->getID(),'read');
-			if ($users === false) {
-				$params['output'] .= $engine->getErrorMessage();
-				return false;
-			}
-			foreach ($users as $user) {
-				$svnusers[$user->getID()] = $user;
-				if (forge_check_perm_for_user($user,
-							       'scm',
-							       $project->getID(),
-							       'write')) {
-					$access_data .= $user->getUnixName() . "= rw\n";
-				} else {
-					$access_data .= $user->getUnixName() . "= r\n";
-				}
-			}
-
-			if ($project->enableAnonSCM()) {
-				$anonRole = RoleAnonymous::getInstance();
-				if ($anonRole->hasPermission('scm', $project->getID(), 'write')) {
-					$access_data .= forge_get_config('anonsvn_login', 'scmsvn')." = rw\n";
-				} else {
-					$access_data .= forge_get_config('anonsvn_login', 'scmsvn')." = r\n";
-				}
-			}
-
-			$access_data .= "\n";
-			$engine->invalidateRoleCaches();  // caching all roles takes ~1GB RAM for 5K projects/15K users
-			fwrite($config_f, "\n");
+		$res = db_query_params("SELECT login, passwd FROM nss_passwd WHERE status=$1", array('A'));
+		while ($arr = db_fetch_array($res)) {
+			fwrite($f, $arr['login'].':'.$arr['passwd']."\n");
+			fwrite($config_f, 'Use ScmsvnUser '.$arr['login']."\n");
 		}
+		fwrite($f, forge_get_config('anonsvn_login', 'scmsvn').":".htpasswd_apr1_md5(forge_get_config('anonsvn_password', 'scmsvn'))."\n");
 
-		foreach ($svnusers as $user_id => $user) {
-			$password_data .= $user->getUnixName().':'.$user->getUnixPasswd()."\n";
-			fwrite($config_f, 'Use ScmsvnUser '.$user->getUnixName().'
-');
-		}
-		$password_data .= forge_get_config('anonsvn_login', 'scmsvn').":".htpasswd_apr1_md5(forge_get_config('anonsvn_password', 'scmsvn'))."\n";
-
-		$fname = forge_get_config('data_path').'/svnroot-authfile';
-		$f = fopen($fname.'.new', 'w');
-		fwrite($f, $password_data);
-		fclose($f);
-		chmod($fname.'.new', 0644);
-		rename($fname.'.new', $fname);
-
-		$fname = forge_get_config('data_path').'/svnroot-access';
-		$f = fopen($fname.'.new', 'w');
-		fwrite($f, $access_data);
 		fclose($f);
 		chmod($fname.'.new', 0644);
 		rename($fname.'.new', $fname);

commit 35e78b7b3351ed58680703b04a25b0061dbdad63
Author: Sylvain Beucler <sylvain.beucler at inria.fr>
Date:   Fri Feb 20 16:07:59 2015 +0100

    scmsvn: only create /authscm/$user URLs for valid users

diff --git a/src/plugins/scmsvn/etc/httpd.conf.d/05-config-macros-scmsvn.conf b/src/plugins/scmsvn/etc/httpd.conf.d/05-config-macros-scmsvn.conf
index 95a33c7..5e6ddc8 100644
--- a/src/plugins/scmsvn/etc/httpd.conf.d/05-config-macros-scmsvn.conf
+++ b/src/plugins/scmsvn/etc/httpd.conf.d/05-config-macros-scmsvn.conf
@@ -1,3 +1,9 @@
+# Per-user macro to:
+# - specific explicit user (Require $user)
+# - only create user URL if the user is valid
+#   (avoids /authscm/root/ or /authscm/bin/ access)
+#   Maybe we can switch to LimitUIDRange, cf. 20-vhosts-scm.conf
+
 <Macro ScmsvnUser $user>
 <Location /authscm/$user/svn>
   DAV svn
@@ -7,6 +13,7 @@
   Require user $user
   # Note: ^ AuthzSVNAccessFile would have priority over this so don't use it
 </Location>
+ScriptAlias /authscm/$user/viewvc {core/source_path}/plugins/scmsvn/cgi-bin/viewvc.cgi
 # Authentified via cookie in viewvc.php:
 #<Location /authscm/$user/viewvc>
 #  Require user $user
diff --git a/src/plugins/scmsvn/etc/httpd.conf.d/plugin-scmsvn.inc b/src/plugins/scmsvn/etc/httpd.conf.d/plugin-scmsvn.inc
index 078261f..b0e5e35 100644
--- a/src/plugins/scmsvn/etc/httpd.conf.d/plugin-scmsvn.inc
+++ b/src/plugins/scmsvn/etc/httpd.conf.d/plugin-scmsvn.inc
@@ -25,7 +25,6 @@
 #  AuthUserFile {core/data_path}/svnroot-authfile
 #</LocationMatch>
 ScriptAlias /anonscm/viewvc {core/source_path}/plugins/scmsvn/cgi-bin/viewvc.cgi
-ScriptAliasMatch ^/authscm/[^/]+/viewvc(.*) {core/source_path}/plugins/scmsvn/cgi-bin/viewvc.cgi$1
 #Alias /doc/viewvc /usr/share/viewvc/docroot
 <Directory {core/source_path}/plugins/scmsvn/cgi-bin>
   Require all granted

-----------------------------------------------------------------------

Summary of changes:
 src/plugins/scmsvn/common/SVNPlugin.class.php      |   70 +++-----------------
 .../etc/httpd.conf.d/05-config-macros-scmsvn.conf  |    7 ++
 .../scmsvn/etc/httpd.conf.d/plugin-scmsvn.inc      |    1 -
 3 files changed, 17 insertions(+), 61 deletions(-)


hooks/post-receive
-- 
FusionForge



More information about the Fusionforge-commits mailing list