From 507bc8f2818a42d751ed6e2e2fc68ee2bde94016 Mon Sep 17 00:00:00 2001 From: paulr Date: Tue, 8 Nov 2011 20:20:41 +1100 Subject: [PATCH] reaplced the git service code (main gitbackendinterface()) with a new one that does permission checking --- gwvplib/gwvpauth.php | 7 ---- gwvplib/gwvpgitcontrol.php | 81 +++++++++++++++++++++++++++++++++++++++++-- gwvplib/gwvpweb.php | 12 ++++++ 3 files changed, 89 insertions(+), 11 deletions(-) diff --git a/gwvplib/gwvpauth.php b/gwvplib/gwvpauth.php index 3e0ddcd..086af98 100644 --- a/gwvplib/gwvpauth.php +++ b/gwvplib/gwvpauth.php @@ -40,7 +40,6 @@ function gwvp_AskForBasicAuth() if(!isset($_SERVER["PHP_AUTH_USER"])) { header('WWW-Authenticate: Basic realm="My Realm"'); header('HTTP/1.0 401 Unauthorized'); - exit(0); } else return; } @@ -59,12 +58,6 @@ function gwvp_CheckAuthLevel($levels) return false; } -function gwvp_fourZeroThree() -{ - header("HTTP/1.0 403 Permission Denied"); - exit(0); -} - function gwvp_AuthNoPerms() { gwvp_goMainPage("gwvp_AuthNoPermsBody"); diff --git a/gwvplib/gwvpgitcontrol.php b/gwvplib/gwvpgitcontrol.php index 7093812..a59a02b 100644 --- a/gwvplib/gwvpgitcontrol.php +++ b/gwvplib/gwvpgitcontrol.php @@ -33,29 +33,102 @@ function gwvp_repoPermissionCheck($repo, $user) return true; } -function gwvp_gitBackendInterface_new() +function gwvp_gitBackendInterface() { // and this is where i re-code the git backend interface from scratch global $BASE_URL; $repo_base = gwvp_getConfigVal("repodir"); + // TODO: we need to stop passing the repo name around as "repo.git", it needs to be just "repo" + $repo = ""; + $repoid = -1; $newloc = "/"; if(isset($_REQUEST["q"])) { $query = $_REQUEST["q"]; $qspl = explode("/", $query); $repo = $qspl[1]; + $repoid = gwvp_resolvRepoPerms($repo); for($i=2; $i < count($qspl); $i++) { $newloc .= "/".$qspl[$i]; } } + if($repoid == -1) { + gwvp_fourZeroFour(); + return; + } + + // so now we have the repo + // next we determine if this is a read or a write + $write = false; + if(isset($_REQUEST["service"])) { + if($_REQUEST["service"] == "git-receive-pack") { + $write = true; + } + } + if($_SERVER["REQUEST_METHOD"] == "POST") { + $write = true; + } + + // if its a write, we push for authentication + if($write) { + $person = gwvp_checkBasicAuthLogin(); + if($person == false) { + gwvp_AskForBasicAuth(); + return; + } else { + $perms = gwvp_resolvRepoPerms($person["id"], $repoid); + if($perms < 3) { + gwvp_fourZeroThree(); + return; + } else { + // here we pass to the git backend + gwvp_callGitBackend($person["username"], $repo); + } + } + return; + } + + // if not we figure out the anon permissions for a repo + $perms = gwvp_resolvRepoPerms(-1, $repoid); + + // if they're less then read, we need to then check the user auth permissions + if($perms < 2) { + // we ask for auth + $person = gwvp_checkBasicAuthLogin(); + if($person == false) { + gwvp_AskForBasicAuth(); + return; + } else { + $perms = gwvp_resolvRepoPerms($person["id"], $repoid); + if($perms < 3) { + gwvp_fourZeroThree(); + return; + } + } + } + + // if we made it this far, we a read and we have permissions to do so, just search the file from the repo + if(file_exists("$repo_base/$repo/$newloc")) { + error_log("would ask $repo,$actual_repo_name for $repo/$newloc from $repo_base/$repo/$newloc"); + $fh = fopen("$repo_base/$repo/$newloc", "rb"); + + error_log("pushing file"); + while(!feof($fh)) { + echo fread($fh, 8192); + } + } else { + //echo "would ask $repo,$actual_repo_name for $repo/$newloc from $repo_base/$repo/$newloc, NE"; + gwvp_fourZeroFour(); + return; + } } -function gwvp_gitBackendInterface() +function gwvp_gitBackendInterface_old() { global $BASE_URL; @@ -175,7 +248,7 @@ function gwvp_canManageRepo($userid, $repoid) return false; } -function gwvp_callGitBackend($repo) +function gwvp_callGitBackend($username, $reponame) { // this is where things become a nightmare $fh = fopen('php://input', "r"); @@ -216,7 +289,7 @@ function gwvp_callGitBackend($repo) $procenv["GIT_HTTP_EXPORT_ALL"] = "1"; $procenv["QUERY_STRING"] = "$qs"; $procenv["HTTP_USER_AGENT"] = "git/1.7.1"; - $procenv["REMOTE_USER"] = "user"; + $procenv["REMOTE_USER"] = "$username"; $procenv["REMOTE_ADDR"] = "1.2.3.4"; $procenv["AUTH_TYPE"] = "Basic"; diff --git a/gwvplib/gwvpweb.php b/gwvplib/gwvpweb.php index 92ed814..3cc931c 100644 --- a/gwvplib/gwvpweb.php +++ b/gwvplib/gwvpweb.php @@ -226,4 +226,16 @@ function gwvp_TailBuilder() echo "Copyright 2011, PJR - licensed under GPL"; } +function gwvp_fourZeroThree() +{ + header("HTTP/1.0 403 Permission Denied"); +} + +function gwvp_fourZeroFour() +{ + header("HTTP/1.0 404 No Such Thing"); +} + + + ?> \ No newline at end of file -- 1.7.0.4