From d504aa21cdde47ca6d2541515c17d62ea4ba484b Mon Sep 17 00:00:00 2001
From: Jan Lindemann <jan@janware.com>
Date: Sat, 26 Nov 2016 12:18:37 +0000
Subject: [PATCH] git-srv-admin.sh: Only allow manipulating own repos

Disallow attempts to manipulate other user's repositories.

Signed-off-by: Jan Lindemann <jan@janware.com>
---
 scripts/git-srv-admin.sh | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/scripts/git-srv-admin.sh b/scripts/git-srv-admin.sh
index bd741297..309a989f 100644
--- a/scripts/git-srv-admin.sh
+++ b/scripts/git-srv-admin.sh
@@ -53,6 +53,11 @@ md()
 	}
 }
 
+check_user_is_self()
+{
+	[ "$id" != "$user" ] && fatal "User $id is not allowed to do this to user $user's repositories."
+}
+
 # ----------------- commands
 md_p()
 {
@@ -90,8 +95,9 @@ create_personal_project()
 
 list_personal_projects()
 {
-	cd $pdir
+	cd $pdir || return 1
 	ls */HEAD | sed 's%/HEAD%%' 2>/dev/null
+	return $?
 }
 
 # ----------------- here we go
@@ -123,10 +129,11 @@ shift $(($OPTIND - 1))
 if [ "$user" ]; then
 	id=$user
 else
-	[ "$SUDO_UID" ] && {
+	if [ "$SUDO_UID" ]; then
 		id=`/opt/ytools/bin/getpwuid $SUDO_UID | sed '/^name *=/ !d; s/^name *= *//'`
 		[ "$id" ] || fatal "failed to find uid $SUDO_UID in user database"
-	}
+	fi
+	user=$id
 fi
 
 git_home=/srv/git/$id
@@ -141,6 +148,7 @@ dir=$pdir/$p
 
 case $cmd in
 create-personal-project)
+	check_user_is_self
 	create_personal_project "$@"
 	;;
 list-personal-projects)
@@ -148,6 +156,7 @@ list-personal-projects)
 	;;
 create-project-dir)
 	dir=$1 # this is all a horrible variable and usage mess
+	check_user_is_self
 	create_project_dir "$@"
 	;;
 *)