Re: [RFC PATCH] gitweb: Support filtering projects by .htaccess files.

[Jakub Narebski <jnareb@gmail.com>]

Alexander Gavrilov wrote:
 
> How about the following patch, that simply adds a hook, and provides
> an example using mod_perl in the documentation?

Very nice, simple yet powerfull solution.
 
> --- >8 ---
> Subject: [PATCH] gitweb: Add a per-repository authorization hook.
> 
> Add a configuration variable that can be used to specify an
> arbitrary subroutine that will be called in the same situations
> where $export_ok is checked, and its return value used
> to decide whether the repository is to be shown.
> 
> This allows the user to implement custom authentication
> schemes, for example by issuing a subrequest through mod_perl
> and checking if Apache will authorize it.
> 
> Signed-off-by: Alexander Gavrilov <angavrilov@gmail.com>

If somebody could check out example given for this feature, I'd add
Acked-by: Jakub Narebski <jnareb@gmail.com>

> ---
>  gitweb/INSTALL     |   21 +++++++++++++++++++++
>  gitweb/gitweb.perl |    8 +++++++-
>  2 files changed, 28 insertions(+), 1 deletions(-)
> 
> diff --git a/gitweb/INSTALL b/gitweb/INSTALL
> index 26967e2..fa5917a 100644
> --- a/gitweb/INSTALL
> +++ b/gitweb/INSTALL
> @@ -166,6 +166,27 @@ Gitweb repositories
>    shows repositories only if this file exists in its object database
>    (if directory has the magic file named $export_ok).
>  
> +- Finally, it is possible to specify an arbitrary perl subroutine that
> +  will be called for each project to determine if it can be exported.
> +  The subroutine receives an absolute path to the project as its only
> +  parameter.
> +
> +  For example, if you use mod_perl to run the script, and have dumb
> +  http protocol authentication configured for your repositories, you
> +  can use the following hook to allow access only if the user is
> +  authorized to read the files:
> +
> +    $export_auth_hook = sub {
> +        use Apache2::SubRequest ();
> +        use Apache2::Const -compile => qw(HTTP_OK);
> +        my $path = "$_[0]/HEAD";
> +        my $r    = Apache2::RequestUtil->request;
> +        my $sub  = $r->lookup_file($path);
> +        return $sub->filename eq $path 
> +            && $sub->status == Apache2::Const::HTTP_OK;
> +    };

Can anybody check this? Or was it checked by author?

> +
> +
>  Generating projects list using gitweb
>  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>  
> diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
> index 172ea6b..9329880 100755
> --- a/gitweb/gitweb.perl
> +++ b/gitweb/gitweb.perl
> @@ -95,6 +95,11 @@ our $default_projects_order = "project";
>  # (only effective if this variable evaluates to true)
>  our $export_ok = "++GITWEB_EXPORT_OK++";
>  
> +# show repository only if this subroutine returns true
> +# when given the path to the project, for example:
> +#    sub { return -e "$_[0]/git-daemon-export-ok"; }
> +our $export_auth_hook = undef;
> +

Simple, yet powerfull. Nice short example.

>  # only allow viewing of repositories also shown on the overview page
>  our $strict_export = "++GITWEB_STRICT_EXPORT++";
>  
> @@ -400,7 +405,8 @@ sub check_head_link {
>  sub check_export_ok {
>  	my ($dir) = @_;
>  	return (check_head_link($dir) &&
> -		(!$export_ok || -e "$dir/$export_ok"));
> +		(!$export_ok || -e "$dir/$export_ok") &&
> +		(!$export_auth_hook || $export_auth_hook->($dir)));

Nice.

>  }
>  
>  # process alternate names for backward compatibility
> -- 
> tg: (0d4f9de..) t/authenticate/hook (depends on: t/authenticate/unify-exportok)
> 

P.S. Why doesn't TopGit add git and TopGit version to signature?

-- 
Jakub Narebski
Poland