Currently AccessControlVerifier calls gitolite access without specifying an absolute path.
private function canWriteAccordingToGitolite(PFUser $user, GitRepository $repository, $reference)
{
$repository_name = escapeshellarg(PathJoinUtil::unixPathJoin([$repository->getProject()->getUnixName(), $repository->getFullName()]));
$user_name = escapeshellarg($user->getUserName());
$reference = escapeshellarg($reference);
try {
$this->system_command->exec("sudo -u gitolite /usr/bin/gitolite access -q $repository_name $user_name 'W' $reference");
} catch (\System_Command_CommandException $ex) {
return false;
}
return true;
}
We call gitolite access through sudo which means that we have no control on what's being used for real. System administrators might have customized the secure_path setting which could lead to behaviors we do not expect. We should remove the incertitude and use an absolute path when calling the gitolite CLI.