From 507bc8f2818a42d751ed6e2e2fc68ee2bde94016 Mon Sep 17 00:00:00 2001
From: paulr <me@pjr.cc>
Date: Tue, 8 Nov 2011 20:20:41 +1100
Subject: [PATCH] reaplced the git service code (main gitbackendinterface()) with a new
 one that does permission checking

---
 gwvplib/gwvpauth.php       |    7 ----
 gwvplib/gwvpgitcontrol.php |   81 +++++++++++++++++++++++++++++++++++++++++--
 gwvplib/gwvpweb.php        |   12 ++++++
 3 files changed, 89 insertions(+), 11 deletions(-)

diff --git a/gwvplib/gwvpauth.php b/gwvplib/gwvpauth.php
index 3e0ddcd..086af98 100644
--- a/gwvplib/gwvpauth.php
+++ b/gwvplib/gwvpauth.php
@@ -40,7 +40,6 @@ function gwvp_AskForBasicAuth()
 	if(!isset($_SERVER["PHP_AUTH_USER"])) {
 		header('WWW-Authenticate: Basic realm="My Realm"');
 		header('HTTP/1.0 401 Unauthorized');
-		exit(0);
 	} else return; 
 }
 
@@ -59,12 +58,6 @@ function gwvp_CheckAuthLevel($levels)
 	return false;
 }
 
-function gwvp_fourZeroThree()
-{
-	header("HTTP/1.0 403 Permission Denied");
-	exit(0);
-}
-
 function gwvp_AuthNoPerms()
 {
 	gwvp_goMainPage("gwvp_AuthNoPermsBody");
diff --git a/gwvplib/gwvpgitcontrol.php b/gwvplib/gwvpgitcontrol.php
index 7093812..a59a02b 100644
--- a/gwvplib/gwvpgitcontrol.php
+++ b/gwvplib/gwvpgitcontrol.php
@@ -33,29 +33,102 @@ function gwvp_repoPermissionCheck($repo, $user)
 	return true;
 }
 
-function gwvp_gitBackendInterface_new()
+function gwvp_gitBackendInterface()
 {
 	// and this is where i re-code the git backend interface from scratch
 	global $BASE_URL;
 	
 	$repo_base = gwvp_getConfigVal("repodir");
 	
+	// TODO: we need to stop passing the repo name around as "repo.git", it needs to be just "repo"
+	
 	$repo = "";
+	$repoid = -1;
 	$newloc = "/";
 	if(isset($_REQUEST["q"])) {
 		$query = $_REQUEST["q"];
 		$qspl = explode("/", $query);
 		$repo = $qspl[1];
+		$repoid = gwvp_resolvRepoPerms($repo);
 		for($i=2; $i < count($qspl); $i++) {
 			$newloc .= "/".$qspl[$i];
 		}
 	}
 	
+	if($repoid == -1) {
+		gwvp_fourZeroFour();
+		return;
+	}
+	
+	// so now we have the repo
+	// next we determine if this is a read or a write
+	$write = false;
+	if(isset($_REQUEST["service"])) {
+		if($_REQUEST["service"] == "git-receive-pack") {
+			$write = true;
+		}
+	}
+	if($_SERVER["REQUEST_METHOD"] == "POST") {
+		$write = true;
+	}
+	
+	// if its a write, we push for authentication
+	if($write) {
+		$person = gwvp_checkBasicAuthLogin();
+		if($person == false) {
+			gwvp_AskForBasicAuth();
+			return;
+		} else {
+			$perms = gwvp_resolvRepoPerms($person["id"], $repoid);
+			if($perms < 3) {
+				gwvp_fourZeroThree();
+				return;
+			} else {
+				// here we pass to the git backend
+				gwvp_callGitBackend($person["username"], $repo);
+			}
+		}
+		return;
+	}
+	
+	// if not we figure out the anon permissions for a repo
+	$perms = gwvp_resolvRepoPerms(-1, $repoid);
+	
+	// if they're less then read, we need to then check the user auth permissions
+	if($perms < 2) {
+		// we ask for auth
+		$person = gwvp_checkBasicAuthLogin();
+		if($person == false) {
+			gwvp_AskForBasicAuth();
+			return;
+		} else {
+			$perms = gwvp_resolvRepoPerms($person["id"], $repoid);
+			if($perms < 3) {
+				gwvp_fourZeroThree();
+				return;
+			}
+		}
+	}
+	
+	// if we made it this far, we a read and we have permissions to do so, just search the file from the repo
+	if(file_exists("$repo_base/$repo/$newloc")) {
+		error_log("would ask $repo,$actual_repo_name for $repo/$newloc from $repo_base/$repo/$newloc");
+		$fh = fopen("$repo_base/$repo/$newloc", "rb");
+		
+		error_log("pushing file");
+		while(!feof($fh)) {
+			echo fread($fh, 8192);
+		}
+	} else {
+		//echo "would ask $repo,$actual_repo_name for $repo/$newloc from $repo_base/$repo/$newloc, NE";
+		gwvp_fourZeroFour();
+		return;
+	}
 	
 }
 
 
-function gwvp_gitBackendInterface()
+function gwvp_gitBackendInterface_old()
 {
 	global $BASE_URL;
 	
@@ -175,7 +248,7 @@ function gwvp_canManageRepo($userid, $repoid)
 	return false;
 }
 
-function gwvp_callGitBackend($repo)
+function gwvp_callGitBackend($username, $reponame)
 {
 	// this is where things become a nightmare
 		$fh   = fopen('php://input', "r");
@@ -216,7 +289,7 @@ function gwvp_callGitBackend($repo)
 		$procenv["GIT_HTTP_EXPORT_ALL"] = "1";
 		$procenv["QUERY_STRING"] = "$qs";
 		$procenv["HTTP_USER_AGENT"] = "git/1.7.1";
-		$procenv["REMOTE_USER"] = "user";
+		$procenv["REMOTE_USER"] = "$username";
 		$procenv["REMOTE_ADDR"] = "1.2.3.4";
 		$procenv["AUTH_TYPE"] = "Basic";
 		
diff --git a/gwvplib/gwvpweb.php b/gwvplib/gwvpweb.php
index 92ed814..3cc931c 100644
--- a/gwvplib/gwvpweb.php
+++ b/gwvplib/gwvpweb.php
@@ -226,4 +226,16 @@ function gwvp_TailBuilder()
 	echo "<font size=\"-1\"><i>Copyright 2011, PJR - licensed under GPL</i></font>";
 }
 
+function gwvp_fourZeroThree()
+{
+	header("HTTP/1.0 403 Permission Denied");
+}
+
+function gwvp_fourZeroFour()
+{
+	header("HTTP/1.0 404 No Such Thing");
+}
+
+
+
 ?>
\ No newline at end of file
-- 
1.7.0.4