SVN用得也算挺广泛的,但是它也存在着一个大问题,就是权限控制得比较差,要么读,要么读写,而读写就意外着可以删除文件(目前我的理解是这样,如果有什么不对的地方,请多指教)。
刚好前段时间发生了开发人员误删代码库的问题,我才意识到这个问题很大。领导的要求是,开发人员等不应当有删除文件的权限,应该只有项目经理之类的有删除文件的权限。
于是上网搜索了一番,发现有不少人也说SVN权限的管理太粗化了。找了好久才发现可以通过svn项目目录下的hooks下的pre-commit实现。
一、首先来看一下svn项目结构。test和test1是我点击该页面的创建按钮创建的。同时我创建了一个普通用户bp(模拟开发人员,测试删除操作)
给bp用户授权
二、进入svn项目的hooks目录
可以看到repositories下有我创建的test和test1两个svn项目目录,hooks下的pre-commit是我新建的
三、看一下pre-commit的内容,这个是最关键的(代码中#注释掉的内容,第一行是非常关键的#!/bin/sh 这个建议保留,否则容易报错。另外,这个文件中建议不加入中文,否则也有可能报错,所以记得把我的中文注释给删掉)。PS:创建完之后,一定要给该文件授予可执行全新chmod +x pre-commit
[root@localhost hooks]# cat pre-commit #!/bin/sh # PRE-COMMIT HOOK # # The pre-commit hook is invoked before a Subversion txn is # committed. Subversion runs this hook by invoking a program # (script, executable, binary, etc.) named 'pre-commit' (for which # this file is a template), with the following ordered arguments: # # [1] REPOS-PATH (the path to this repository) # [2] TXN-NAME (the name of the txn about to be committed) # # [STDIN] LOCK-TOKENS ** the lock tokens are passed via STDIN. # # If STDIN contains the line "LOCK-TOKENS: " (the " " denotes a # single newline), the lines following it are the lock tokens for # this commit. The end of the list is marked by a line containing # only a newline character. # # Each lock token line consists of a URI-escaped path, followed # by the separator character '|', followed by the lock token string, # followed by a newline. # # The default working directory for the invocation is undefined, so # the program should set one explicitly if it cares. # # If the hook program exits with success, the txn is committed; but # if it exits with failure (non-zero), the txn is aborted, no commit # takes place, and STDERR is returned to the client. The hook # program can use the 'svnlook' utility to help it examine the txn. # # On a Unix system, the normal procedure is to have 'pre-commit' # invoke other programs to do the real work, though it may do the # work itself too. # # *** NOTE: THE HOOK PROGRAM MUST NOT MODIFY THE TXN, EXCEPT *** # *** FOR REVISION PROPERTIES (like svn:log or svn:author). *** # # This is why we recommend using the read-only 'svnlook' utility. # In the future, Subversion may enforce the rule that pre-commit # hooks should not modify the versioned data in txns, or else come # up with a mechanism to make it safe to do so (by informing the # committing client of the changes). However, right now neither # mechanism is implemented, so hook writers just have to be careful. # # Note that 'pre-commit' must be executable by the user(s) who will # invoke it (typically the user httpd runs as), and that user must # have filesystem-level permission to access the repository. # # On a Windows system, you should name the hook program # 'pre-commit.bat' or 'pre-commit.exe', # but the basic idea is the same. # # The hook program typically does not inherit the environment of # its parent process. For example, a common problem is for the # PATH environment variable to not be set to its usual value, so # that subprograms fail to launch unless invoked via absolute path. # If you're having unexpected problems with a hook program, the # culprit may be unusual (or missing) environment variables. # # Here is an example hook script, for a Unix /bin/sh interpreter. # For more examples and pre-written hooks, see those in # the Subversion repository at # http://svn.apache.org/repos/asf/subversion/trunk/tools/hook-scripts/ and # http://svn.apache.org/repos/asf/subversion/trunk/contrib/hook-scripts/ REPOS="$1" TXN="$2" # Make sure that the log message contains some text. SVNLOOK=/application/csvn/bin/svnlook #这个路径需要根据自己的svnlook来写,可以用which svnlook获取,我的安装方式不支持which svnlook,我是使用find / -name svnlook查找的 # Check that the author of this commit has the rights to perform # the commit on the files and directories being modified. #commit-access-control.pl "$REPOS" "$TXN" commit-access-control.cfg || exit 1 #原tmpl中的文件存在这条语句,这个语句找不到,是会报错的,建议注释掉 # Make sure that the log message contains some text. if [ -z `$SVNLOOK log -t "$TXN" "$REPOS" |grep "[a-zA-Z0-9]"` ];then #这个应该是检测有没有写log message的,发现我提交时写中文log,也会匹配到这种情况,但是看语句应该不会啊,有点奇怪 echo "svn admin: please add log messages!!!" >&2 #按照网上的说法,后面的>$2貌似不能省略,否则也会报错 exit 1 #0代表正常,非0代表异常 fi USER=`$SVNLOOK author -t $TXN $REPOS` ADMINLIST=admin #拥有删除文件权限的项目经理等人员,这里我只授权admin用户 if [ "`echo $ADMINLIST|grep -w $USER|wc -l`" -eq 0 ];then if [ `$SVNLOOK changed -t $TXN $REPOS |grep "^D "|wc -l` -gt 0 ];then echo "svn admin: You Don't have the pemmision of delete!Please contact your administrator!" >&2 #echo里的是提示信息 exit 1 fi fi # All checks passed, so allow the commit. exit 0
四、使用bp用户测试删除操作(有时候会出现配置之后没有生效的情况,可以尝试在修改文件两分钟之后再进行测试)
如果不小心误删。可以在以下位置点击被误删的文件右键,选择revert恢复
五、提交时不添加log message
参考链接:http://blog.chinaunix.net/uid-29893597-id-5594571.html