story #9525 use full regexp instead of wildcards
git admin
use full regexp instead of wildcards

I can fine tune my management rules

Git repository settings modifications:

  • In Permissions, when "Fine grain" is activated, there is a new checkbox to activate "regexp"
    • There is an info & warning message that inform users that by enabling this option, they might end up in a non working state (eg. a non terminated regexp). Invalid regexp will be ignored without errors.
  • When the "regexp" checkbox is unticked, all defined rules are checked to match default wildcard validator and invalid rules are discarded
    • There is a confirmation dialog to inform users about it
  • Activation of "regexp" mode is traced in "Project history" as well as regexp changes (as it's already done for wildcards)
  • On save, some basic formatting rules are checked (eg. "\n" is forbidden to avoid injecting crafted rules or attacks inside gitolite config)

Git fork screen

  • It's not possible to activate "regexp" during repository fork.

Default git template (project level)

  • Git administrators can activate the regexp for the permission template defined at project level (with the same constraints & behaviour than for project settings define beforehand)
  • This setting is inherited at project creation if defined in project template

Site admin modifications:

  • As regexp might be used to trigger a regexp based DoS attack, the site admin must activate this option at site level before been usable in projects
  • The option is disabled by default
  • If site admin descativate the option after it's been used in projects, there is no impact on existing projects. However when those projects will try to update their permissions after the desactivation, the regexp will be discarded
    • When this situation is detected ("use regexp activate in repo but disabled on platform"), there is a special message to warn git administrator that after update the invalid permissions will be removed
    • It also apply for the repository template at project level
  • [ ] Does it involves User Interface? 
  • [ ] Are there any mockups?
  • [ ] Are permissions checked?
  • [ ] Does it need Javascript development?
  • [ ] Does it need a forge upgrade bucket?
  • [ ] Does it need to execute things in system events?
  • [ ] Does it impact project creation (templates)?
  • [ ] Is it exploratory?
Manuel Vacelet (vaceletm)
2016-12-06 22:18
2016-09-29 11:18

Referencing story #9525

Git commit