more work on untrusted committers

Wired up check_canedit and check_canremove, still need to deal with
check_canattach, and test.

4 files changed, 139 insertions, 36 deletions

diff --git a/IkiWiki/Plugin/editpage.pm b/IkiWiki/Plugin/editpage.pm
index 30c93df20..fe2864bac 100644
--- a/IkiWiki/Plugin/editpage.pm
+++ b/IkiWiki/Plugin/editpage.pm
@@ -122,7 +122,7 @@ sub cgi_editpage ($$) { #{{{
 	my $absolute=($page =~ s#^/+##);
 	if (! defined $page || ! length $page ||
 	    file_pruned($page, $config{srcdir})) {
-		error("bad page name");
+		error(gettext("bad page name"));
 	}
 
 	my $baseurl = urlto($page, undef, 1);
diff --git a/IkiWiki/Plugin/git.pm b/IkiWiki/Plugin/git.pm
index 1facb14c0..234e7af2e 100644
--- a/IkiWiki/Plugin/git.pm
+++ b/IkiWiki/Plugin/git.pm
@@ -23,7 +23,7 @@ sub import { #{{{
 	hook(type => "rcs", id => "rcs_recentchanges", call => \&rcs_recentchanges);
 	hook(type => "rcs", id => "rcs_diff", call => \&rcs_diff);
 	hook(type => "rcs", id => "rcs_getctime", call => \&rcs_getctime);
-	hook(type => "rcs", id => "rcs_test_receive", call => \&rcs_test_receive);
+	hook(type => "rcs", id => "rcs_receive", call => \&rcs_receive);
 } #}}}
 
 sub checkconfig () { #{{{
@@ -77,7 +77,7 @@ sub getsetup () { #{{{
 			safe => 0, # file
 			rebuild => 0,
 		},
-		git_untrusted_committers => {
+		untrusted_committers => {
 			type => "string",
 			example => [],
 			description => "unix users whose commits should be checked by the pre-receive hook",
@@ -588,15 +588,7 @@ sub rcs_getctime ($) { #{{{
 	return $ctime;
 } #}}}
 
-sub rcs_test_receive () { #{{{
-	# quick success if the user is trusted
-	my $committer=(getpwuid($<))[0];
-	if (! defined $committer) {
-		error("cannot determine username for $<");
-	}
-	exit 0 if ! ref $config{git_untrusted_committers} ||
-	          ! grep { $_ eq $committer } @{$config{git_untrusted_committers}};
-
+sub rcs_receive () { #{{{
 	# The wiki may not be the only thing in the git repo.
 	# Determine if it is in a subdirectory by examining the srcdir,
 	# and its parents, looking for the .git directory.
@@ -610,54 +602,64 @@ sub rcs_test_receive () { #{{{
 		}
 	}
 
-	my @errors;
+	my @rets;
 	while (<>) {
 		chomp;
 		my ($oldrev, $newrev, $refname) = split(' ', $_, 3);
 
 		# only allow changes to gitmaster_branch
 		if ($refname !~ /^refs\/heads\/\Q$config{gitmaster_branch}\E$/) {
-			push @errors, sprintf(gettext("you are not allowed to change %s"), $refname);
+			error sprintf(gettext("you are not allowed to change %s"), $refname);
 		}
 
 		foreach my $ci (git_commit_info($oldrev."..".$newrev)) {
 			foreach my $detail (@{ $ci->{'details'} }) {
 				my $file = $detail->{'file'};
 
-				# check that all changed files are in the subdir
+				# check that all changed files are in the
+				# subdir
 				if (length $subdir &&
 				    ! ($file =~ s/^\Q$subdir\E//)) {
-					push @errors, sprintf(gettext("you are not allowed to change %s"), $file);
-					next;
+					error sprintf(gettext("you are not allowed to change %s"), $file);
 				}
 
-				if ($detail->{'mode_from'} ne $detail->{'mode_to'}) {
-					push @errors, gettext("you are not allowed to change file modes");
+				my $action;
+				my $mode;			
+				if ($detail->{'status'} =~ /^[M]+\d*$/) {
+					$action="change";
+					$mode=$detail->{'mode_to'};
 				}
-
-				if ($detail->{'status'} =~ /^D+\d*/) {
-					# TODO check_canremove
+				elsif ($detail->{'status'} =~ /^[AM]+\d*$/) {
+					$action="add";
+					$mode=$detail->{'mode_to'};
 				}
-				elsif ($detail->{'status'} !~ /^[MA]+\d*$/) {
-					push @errors, "unknown status ".$detail->{'status'};
+				elsif ($detail->{'status'} =~ /^[DAM]+\d*/) {
+					$action="remove";
+					$mode=$detail->{'mode_from'};
 				}
 				else {
-					# TODO check_canedit
-					# TODO check_canattach
+					error "unknown status ".$detail->{'status'};
 				}
+				
+				# test that the file mode is ok
+				if ($mode !~ /^100[64][64][64]$/) {
+					error sprintf(gettext("you cannot act on a file with mode %s"), $mode);
+				}
+				if ($action eq "change") {
+					if ($detail->{'mode_from'} ne $detail->{'mode_to'}) {
+						error gettext("you are not allowed to change file modes");
+					}
+				}
+
+				push @rets, {
+					file => $file,
+					action => $action,
+				};
 			}
 		}
 	}
 
-	if (@errors) {
-		# TODO clean up objects from failed push
-
-		print STDERR "$_\n" foreach @errors;
-		exit 1;
-	}
-	else {
-		exit 0;
-	}
+	return @rets;
 } #}}}
 
 1
diff --git a/IkiWiki/Plugin/remove.pm b/IkiWiki/Plugin/remove.pm
index 68bf9d1ee..c512b3b97 100644
--- a/IkiWiki/Plugin/remove.pm
+++ b/IkiWiki/Plugin/remove.pm
@@ -41,7 +41,7 @@ sub check_canremove ($$$) { #{{{
 		error(sprintf(gettext("%s is not a file"), $file));
 	}
 	
-	# Must be editiable.
+	# Must be editable.
 	IkiWiki::check_canedit($page, $q, $session);
 
 	# If a user can't upload an attachment, don't let them delete it.
diff --git a/IkiWiki/Receive.pm b/IkiWiki/Receive.pm
new file mode 100644
index 000000000..63944bb81
--- /dev/null
+++ b/IkiWiki/Receive.pm
@@ -0,0 +1,101 @@
+#!/usr/bin/perl
+
+package IkiWiki::Receive;
+
+use warnings;
+use strict;
+use IkiWiki;
+
+sub getuser () { #{{{
+	my $user=(getpwuid($<))[0];
+	if (! defined $user) {
+		error("cannot determine username for $<");
+	}
+	return $user;
+} #}}}
+
+sub trusted () { #{{{
+	my $user=getuser();
+	return ! ref $config{untrusted_committers} ||
+		! grep { $_ eq $user } @{$config{untrusted_committers}};
+} #}}}
+
+sub test () { #{{{
+	exit 0 if trusted();
+	IkiWiki::rcs_test_receive();
+	
+	# Dummy up a cgi environment to use when calling check_canedit
+	# and friends.
+	eval q{use CGI};
+	error($@) if $@;
+	my $cgi=CGI->new;
+	require IkiWiki::CGI;
+	my $session=IkiWiki::cgi_getsession($cgi);
+	my $user=getuser();
+	$session->param("name", $user);
+	$ENV{REMOTE_ADDR}='unknown' unless exists $ENV{REMOTE_ADDR};
+
+	lockwiki();
+	loadindex();
+
+	my %newfiles;
+
+	foreach my $change (IkiWiki::rcs_receive()) {
+		# This untaint is safe because we check file_pruned and
+		# wiki_file_regexp.
+		my $file=$change->{file}=~/$config{wiki_file_regexp}/;
+		$file=possibly_foolish_untaint($file);
+		if (! defined $file || ! length $file ||
+		    IkiWiki::file_pruned($file, $config{srcdir})) {
+			error(gettext("bad file name"));
+		}
+
+		my $type=pagetype($file);
+		my $page=pagename($file) if defined $type;
+		
+		if ($change->{action} eq 'add') {
+			$newfiles{$file}=1;
+		}
+
+		if ($change->{action} eq 'change' ||
+		    $change->{action} eq 'add') {
+			if (defined $page) {
+				if (IkiWiki->can("check_canedit") &&
+				    IkiWiki::check_canedit($page, $cgi, $session)) {
+				    	next;
+				}
+			}
+			else {
+				# TODO
+				#if (IkiWiki::Plugin::attachment->can("check_canattach") &&
+				#    IkiWiki::Plugin::attachment::check_canattach($session, $file, $path)) {
+				#    	next;
+				#}
+			}
+		}
+		elsif ($change->{action} eq 'remove') {
+			# check_canremove tests to see if the file is present
+			# on disk. This will fail is a single commit adds a
+			# file and then removes it again. Avoid the problem
+			# by not testing the removal in such pairs of changes.
+			# (The add is still tested, just to make sure that
+			# no data is added to the repo that a web edit
+			# could add.)
+			next if $newfiles{$file};
+
+			if (IkiWiki::Plugin::remove->can("check_canremove") &&
+			    IkiWiki::Plugin::remove::check_canremove(defined $page ? $page : $file, $cgi, $session)) {
+				next;
+			}
+		}
+		else {
+			error "unknown action ".$change->{action};
+		}
+				
+		error sprintf(gettext("you are not allowed to change %s"), $file);
+	}
+
+	exit 0;
+} #}}}
+
+1