@@ -76,6 +76,7 @@ read the instructions below.
PasswordAuthentication no
AuthorizedKeysCommand /usr/local/bin/aurweb-git-auth "%t" "%k"
AuthorizedKeysCommandUser aur
+ AcceptEnv AUR_OVERWRITE
9) If you want to enable smart HTTP support with nginx and fcgiwrap, you can
use the following directives:
@@ -52,6 +52,7 @@ def main():
env_vars = {
'AUR_USER': user,
'AUR_PRIVILEGED': '1' if account_type > 1 else '0',
+ 'AUR_OVERWRITE' : os.environ.get('AUR_OVERWRITE', '0') if account_type > 1 else '0',
}
key = keytype + ' ' + keytext
@@ -238,6 +238,7 @@ def main():
user = os.environ.get("AUR_USER")
pkgbase = os.environ.get("AUR_PKGBASE")
privileged = (os.environ.get("AUR_PRIVILEGED", '0') == '1')
+ allow_overwrite = (os.environ.get("AUR_OVERWRITE", '0') == '1')
warn_or_die = warn if privileged else die
if len(sys.argv) == 2 and sys.argv[1] == "restore":
@@ -262,7 +263,7 @@ def main():
walker = repo.walk(sha1_old, pygit2.GIT_SORT_TOPOLOGICAL)
walker.hide(sha1_new)
if next(walker, None) is not None:
- if privileged:
+ if allow_overwrite:
warn("non-fast-forward push (are you absolutely sure you mean this?)")
else:
die("denying non-fast-forward (you should pull first)")
AUR_PRIVILEGED allows people with privileged AUR accounts to evade the block on non-fast-forward commits. While valid in this case, we should not do so by default, since in at least one case a TU did this without realizing there was an existing package. ( https://aur.archlinux.org/packages/rtmidi/ ) Switch to using allow_overwrite to check for destructive actions. Use .ssh/config "SendEnv" on the TU's side and and sshd_config "AcceptEnv" in the AUR server to specifically request overwrite access. TUs should use: `export AUR_OVERWRITE=1; git push` Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> --- v2: only require confirmation for force-pushing history. If you want to restrict who can use this feature, it should be as simple as adding a new account_type and modifying the env_vars passthrough, which can be implemented separately. INSTALL | 1 + aurweb/git/auth.py | 1 + aurweb/git/update.py | 3 ++- 3 files changed, 4 insertions(+), 1 deletion(-)