[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [security question] commit-email.pl completely ignores access rules

From: Eric S <ejs_at_americanlowlife.com>
Date: 2005-05-02 18:23:18 CEST

Stan Devyatovsky wrote:

>Is there any way to limit email notification, so that Sally sees only
>what she is supposed to see (changes in /src/sally and /src/shared,
>but not in /src/harry) ?
>Any ideas are welcome and greatly appreciated.
>
>

Yes, it's quite possible. While my solution doesn't work for you (the
config file is kept in each user's home directory, since for us it
wasn't about security), it could probably be modified to work for you.
Basically, I wrote my own post-commit hook that handles email
notification and updating of certain "live" directories on the web
server. The latter functionality would be deleted, since it doesn't
apply here.

The config file format is

Include/Exclude:user:flag:path

where I or Include means include matched files for notification,
anything else excludes it. The rest of the fields are regexps with one
extra feature, any rule starting with ! inverts the logic, so a user
field of !$eric^ would match any commit action by a user other than
eric. Oh, and $user gets substituted with the login of the user
executing the commit. All non-blank fields must match for a rule to
apply, and the rule search terminates on the first match. Our setup
involves first reading in the user's custom rules from their home
directory, then appending the default rules to the end of this list,
though for you, you'd either add a set of rules that come before the
custom rules, or just eliminate the custom rules.

It's really quite flexible. The default rules basically say that
everyone gets notified of any change to the devel branch (we don't use
an explicit trunk), of any change they make to any branch other than
their own, and anyone elses change to their branch.

Three downsides to the script. First, this was a quick hack I threw
together in perl in a day or so when I gave up on CVS and switched the
office to subversion, and I haven't had the time to clean it up yet.
Because of this alone, I'm hesitant to distribute the file, though I'm
willing to let people have copies of it if they understand that it works
for me, but I can't take much time to make it work for anyone else.

Second, because it's a quick hack, the default rules and list of users
to notify are coded in the script itself, not read from a global config
file, which would be my preference. There's probably a few other things
that are hardcoded as well that I'm not thinking of at the moment.

Third, it wasn't written to be portable. It runs fine under FreeBSD,
and for most unix-like OS the largest change will probably be to change
the location of the sendmail executable. I think this is all that would
be needed under WinXX as well, assuming you've got perl 5 on that box,
though since I haven't tested the script in that environment, I could
easily be wrong.

Oh, and a fourth, it uses the SVN::Client perl bindings, so those must
be installed.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Mon May 2 18:26:42 2005

This is an archived mail posted to the Subversion Users mailing list.