Files
@ 9f976d75b04c
Branch filter:
Location: kallithea/init.d/kallithea-daemon-debian - annotation
9f976d75b04c
1.7 KiB
text/plain
auth: restore anonymous repository access
Dominik Ruf found that aa25ef34ebab introduced a regression in anonymous access
to repositories ... if that is enabled.
The refactoring was too strict when it missed that not all repo permission
checks require a logged in user. Read access can be granted to the default user
... but not write or admin.
Instead of the commands used in aa25ef34ebab, the following commands are used
to consistently also allow the default user in all decorators where we only need
repo read access:
# Introduce explicit allow_default_user=True - that was the default before aa25ef34ebab
sed -i 's/@LoginRequired()/@LoginRequired(allow_default_user=True)/g' `hg mani`
sed -i 's/@LoginRequired(\(..*\))/@LoginRequired(\1, allow_default_user=True)/g' `hg mani`
# The primary case: Replace @NotAnonymous with removal of allow_default_user=True
perl -0pi -e 's/\@LoginRequired\((?:(.*), )?allow_default_user=True\)\n\s*\@NotAnonymous\(\)/\@LoginRequired(\1)/g' `hg mani`
# If there is a global permission check, no anonymous is ever allowed
perl -0pi -e 's/\@LoginRequired\(allow_default_user=True\)(\n\s*\@HasPermission)/\@LoginRequired()\1/g' `hg mani`
# Repo access for write or admin also assume no default user
perl -0pi -e 's/\@LoginRequired\(allow_default_user=True\)(\n\s*\@HasRepoPermissionLevelDecorator\('"'(write|admin)'"'\))/\@LoginRequired()\1/g' `hg mani`
Dominik Ruf found that aa25ef34ebab introduced a regression in anonymous access
to repositories ... if that is enabled.
The refactoring was too strict when it missed that not all repo permission
checks require a logged in user. Read access can be granted to the default user
... but not write or admin.
Instead of the commands used in aa25ef34ebab, the following commands are used
to consistently also allow the default user in all decorators where we only need
repo read access:
# Introduce explicit allow_default_user=True - that was the default before aa25ef34ebab
sed -i 's/@LoginRequired()/@LoginRequired(allow_default_user=True)/g' `hg mani`
sed -i 's/@LoginRequired(\(..*\))/@LoginRequired(\1, allow_default_user=True)/g' `hg mani`
# The primary case: Replace @NotAnonymous with removal of allow_default_user=True
perl -0pi -e 's/\@LoginRequired\((?:(.*), )?allow_default_user=True\)\n\s*\@NotAnonymous\(\)/\@LoginRequired(\1)/g' `hg mani`
# If there is a global permission check, no anonymous is ever allowed
perl -0pi -e 's/\@LoginRequired\(allow_default_user=True\)(\n\s*\@HasPermission)/\@LoginRequired()\1/g' `hg mani`
# Repo access for write or admin also assume no default user
perl -0pi -e 's/\@LoginRequired\(allow_default_user=True\)(\n\s*\@HasRepoPermissionLevelDecorator\('"'(write|admin)'"'\))/\@LoginRequired()\1/g' `hg mani`
99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 e285bb7abb28 99ad9d0af1a3 e285bb7abb28 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 e285bb7abb28 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 e285bb7abb28 99ad9d0af1a3 e285bb7abb28 99ad9d0af1a3 99ad9d0af1a3 e285bb7abb28 99ad9d0af1a3 e285bb7abb28 99ad9d0af1a3 e285bb7abb28 2c3d30095d5e e285bb7abb28 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 2c3d30095d5e e285bb7abb28 e285bb7abb28 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 e285bb7abb28 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 e285bb7abb28 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 e285bb7abb28 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 e285bb7abb28 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 e285bb7abb28 | #!/bin/sh -e
########################################
#### THIS IS A DEBIAN INIT.D SCRIPT ####
########################################
### BEGIN INIT INFO
# Provides: kallithea
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: starts instance of kallithea
# Description: starts instance of kallithea using start-stop-daemon
### END INIT INFO
APP_NAME="kallithea"
APP_HOMEDIR="opt"
APP_PATH="/$APP_HOMEDIR/$APP_NAME"
CONF_NAME="production.ini"
PID_PATH="$APP_PATH/$APP_NAME.pid"
LOG_PATH="$APP_PATH/$APP_NAME.log"
PYTHON_PATH="/$APP_HOMEDIR/$APP_NAME-venv"
RUN_AS="root"
DAEMON="$PYTHON_PATH/bin/gearbox"
DAEMON_OPTS="serve --daemon \
--user=$RUN_AS \
--group=$RUN_AS \
--pid-file=$PID_PATH \
--log-file=$LOG_PATH -c $APP_PATH/$CONF_NAME"
start() {
echo "Starting $APP_NAME"
PYTHON_EGG_CACHE="/tmp" start-stop-daemon -d $APP_PATH \
--start --quiet \
--pidfile $PID_PATH \
--user $RUN_AS \
--exec $DAEMON -- $DAEMON_OPTS
}
stop() {
echo "Stopping $APP_NAME"
start-stop-daemon -d $APP_PATH \
--stop --quiet \
--pidfile $PID_PATH || echo "$APP_NAME - Not running!"
if [ -f $PID_PATH ]; then
rm $PID_PATH
fi
}
status() {
echo -n "Checking status of $APP_NAME ... "
pid=`cat $PID_PATH`
status=`ps ax | grep $pid | grep -ve grep`
if [ "$?" -eq 0 ]; then
echo "running"
else
echo "NOT running"
fi
}
case "$1" in
status)
status
;;
start)
start
;;
stop)
stop
;;
restart)
echo "Restarting $APP_NAME"
### stop ###
stop
wait
### start ###
start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
|