[PATCH] contrib: Add update-http-moderated hook

[public_vi@tut.by]

From: Vitaly _Vi Shukela <public_vi@tut.by>

If the user of http-backend is "mod", allow everything.
Else prevent editing history or deleting refs.
Can be used to set up "anarchic" repositories with anonymous push access,
but also with moderator account that can do "push --force" and "push --delete".

Signed-off-by: Vitaly _Vi Shukela <public_vi@tut.by>
---
 contrib/hooks/update-http-moderated |  121 +++++++++++++++++++++++++++++++++++
 1 files changed, 121 insertions(+), 0 deletions(-)
 create mode 100755 contrib/hooks/update-http-moderated

diff --git a/contrib/hooks/update-http-moderated b/contrib/hooks/update-http-moderated
new file mode 100755
index 0000000..cff4fd7
--- /dev/null
+++ b/contrib/hooks/update-http-moderated
@@ -0,0 +1,121 @@
+#!/bin/sh
+#
+# If the user of http-backend is "mod", allow everything. Else prevent editing history or deleting refs.
+# 
+# Apache configuration example:
+#
+#       SetEnv GIT_PROJECT_ROOT /var/www/git
+#       ScriptAlias /git/ /usr/local/libexec/git-core/git-http-backend/
+#       ScriptAlias /gitmod/ /usr/local/libexec/git-core/git-http-backend/
+#       
+#       
+#       <Location /gitmod/>
+#           AuthName "Git forced push access"
+#           AuthType Basic
+#           AuthUserFile /var/www/git/.htpasswd
+#           AuthGroupFile /dev/null
+#           Require User mod
+#       </Location>
+#
+# Can be used to set up "anarchic" repositories with anonymous push access,
+# but also with moderator account that has "push --force" and "push --delete" permissions.
+#
+# Based on update.sample.
+
+if [ "$REMOTE_USER" == "mod" ]; then exit 0; fi
+
+# --- Command line
+refname="$1"
+oldrev="$2"
+newrev="$3"
+
+# --- Safety check
+if [ -z "$GIT_DIR" ]; then
+	echo "Don't run this script from the command line." >&2
+	echo " (if you want, you could supply GIT_DIR then run" >&2
+	echo "  $0 <ref> <oldrev> <newrev>)" >&2
+	exit 1
+fi
+
+if [ -z "$refname" -o -z "$oldrev" -o -z "$newrev" ]; then
+	echo "Usage: $0 <ref> <oldrev> <newrev>" >&2
+	exit 1
+fi
+
+# check for no description
+projectdesc=$(sed -e '1q' "$GIT_DIR/description")
+case "$projectdesc" in
+"Unnamed repository"* | "")
+	echo "*** Project description file hasn't been set" >&2
+	exit 1
+	;;
+esac
+
+# --- Check types
+# if $newrev is 0000...0000, it's a commit to delete a ref.
+zero="0000000000000000000000000000000000000000"
+if [ "$newrev" = "$zero" ]; then
+	newrev_type=delete
+else
+	newrev_type=$(git-cat-file -t $newrev)
+
+	m="`git merge-base $newrev $oldrev`"
+	if [ "$oldrev" != "$zero" -a "$m" != "$oldrev" ] ; then
+	    echo "Non-fast-forward!" >&2;
+	    exit 1;
+	fi;
+fi
+
+
+case "$refname","$newrev_type" in
+	refs/tags/*,commit)
+		# un-annotated tag
+		short_refname=${refname##refs/tags/}
+		    echo "*** The un-annotated tag, $short_refname, is not allowed in this repository" >&2
+		    echo "*** Use 'git tag [ -a | -s ]' for tags you want to propagate." >&2
+		    exit 1
+		;;
+	refs/tags/*,delete)
+		# delete tag
+		    echo "*** Deleting a tag is not allowed in this repository" >&2
+		    exit 1
+		;;
+	refs/tags/*,tag)
+		# annotated tag
+		if git rev-parse $refname > /dev/null 2>&1
+		then
+			echo "*** Tag '$refname' already exists." >&2
+			echo "*** Modifying a tag is not allowed in this repository." >&2
+			exit 1
+		fi
+		;;
+	refs/heads/*,commit)
+		# create branch
+		if [ "$oldrev" = "$zero" ]; then
+			#exit 1  # Uncomment it to disallow creating new branches
+			:;
+		fi
+		;;
+	refs/heads/*,delete)
+		# delete branch
+		echo "*** Deleting a branch is not allowed in this repository" >&2
+		exit 1
+		;;
+	refs/remotes/*,commit)
+		# tracking branch
+		exit 1;
+		;;
+	refs/remotes/*,delete)
+		# delete tracking branch
+		echo "*** Deleting a tracking branch is not allowed in this repository" >&2
+		exit 1
+		;;
+	*)
+		# Anything else (is there anything else?)
+		echo "*** Update hook: unknown type of update to ref $refname of type $newrev_type" >&2
+		exit 1
+		;;
+esac
+
+# --- Finished
+exit 0
-- 
1.7.1