SVN用得也算挺廣泛的,但是它也存在着一個大問題,就是權限控制得比較差,要么讀,要么讀寫,而讀寫就意外着可以刪除文件(目前我的理解是這樣,如果有什么不對的地方,請多指教)。
剛好前段時間發生了開發人員誤刪代碼庫的問題,我才意識到這個問題很大。領導的要求是,開發人員等不應當有刪除文件的權限,應該只有項目經理之類的有刪除文件的權限。
於是上網搜索了一番,發現有不少人也說SVN權限的管理太粗化了。找了好久才發現可以通過svn項目目錄下的hooks下的pre-commit實現。
一、首先來看一下svn項目結構。test和test1是我點擊該頁面的創建按鈕創建的。同時我創建了一個普通用戶bp(模擬開發人員,測試刪除操作)
給bp用戶授權
二、進入svn項目的hooks目錄
可以看到repositories下有我創建的test和test1兩個svn項目目錄,hooks下的pre-commit是我新建的
三、看一下pre-commit的內容,這個是最關鍵的(代碼中#注釋掉的內容,第一行是非常關鍵的#!/bin/sh 這個建議保留,否則容易報錯。另外,這個文件中建議不加入中文,否則也有可能報錯,所以記得把我的中文注釋給刪掉)。PS:創建完之后,一定要給該文件授予可執行全新chmod +x pre-commit
[root@localhost hooks]# cat pre-commit #!/bin/sh # PRE-COMMIT HOOK # # The pre-commit hook is invoked before a Subversion txn is # committed. Subversion runs this hook by invoking a program # (script, executable, binary, etc.) named 'pre-commit' (for which # this file is a template), with the following ordered arguments: # # [1] REPOS-PATH (the path to this repository) # [2] TXN-NAME (the name of the txn about to be committed) # # [STDIN] LOCK-TOKENS ** the lock tokens are passed via STDIN. # # If STDIN contains the line "LOCK-TOKENS:\n" (the "\n" denotes a # single newline), the lines following it are the lock tokens for # this commit. The end of the list is marked by a line containing # only a newline character. # # Each lock token line consists of a URI-escaped path, followed # by the separator character '|', followed by the lock token string, # followed by a newline. # # The default working directory for the invocation is undefined, so # the program should set one explicitly if it cares. # # If the hook program exits with success, the txn is committed; but # if it exits with failure (non-zero), the txn is aborted, no commit # takes place, and STDERR is returned to the client. The hook # program can use the 'svnlook' utility to help it examine the txn. # # On a Unix system, the normal procedure is to have 'pre-commit' # invoke other programs to do the real work, though it may do the # work itself too. # # *** NOTE: THE HOOK PROGRAM MUST NOT MODIFY THE TXN, EXCEPT *** # *** FOR REVISION PROPERTIES (like svn:log or svn:author). *** # # This is why we recommend using the read-only 'svnlook' utility. # In the future, Subversion may enforce the rule that pre-commit # hooks should not modify the versioned data in txns, or else come # up with a mechanism to make it safe to do so (by informing the # committing client of the changes). However, right now neither # mechanism is implemented, so hook writers just have to be careful. # # Note that 'pre-commit' must be executable by the user(s) who will # invoke it (typically the user httpd runs as), and that user must # have filesystem-level permission to access the repository. # # On a Windows system, you should name the hook program # 'pre-commit.bat' or 'pre-commit.exe', # but the basic idea is the same. # # The hook program typically does not inherit the environment of # its parent process. For example, a common problem is for the # PATH environment variable to not be set to its usual value, so # that subprograms fail to launch unless invoked via absolute path. # If you're having unexpected problems with a hook program, the # culprit may be unusual (or missing) environment variables. # # Here is an example hook script, for a Unix /bin/sh interpreter. # For more examples and pre-written hooks, see those in # the Subversion repository at # http://svn.apache.org/repos/asf/subversion/trunk/tools/hook-scripts/ and # http://svn.apache.org/repos/asf/subversion/trunk/contrib/hook-scripts/ REPOS="$1" TXN="$2" # Make sure that the log message contains some text. SVNLOOK=/application/csvn/bin/svnlook #這個路徑需要根據自己的svnlook來寫,可以用which svnlook獲取,我的安裝方式不支持which svnlook,我是使用find / -name svnlook查找的 # Check that the author of this commit has the rights to perform # the commit on the files and directories being modified. #commit-access-control.pl "$REPOS" "$TXN" commit-access-control.cfg || exit 1 #原tmpl中的文件存在這條語句,這個語句找不到,是會報錯的,建議注釋掉 # Make sure that the log message contains some text. if [ -z `$SVNLOOK log -t "$TXN" "$REPOS" |grep "[a-zA-Z0-9]"` ];then #這個應該是檢測有沒有寫log message的,發現我提交時寫中文log,也會匹配到這種情況,但是看語句應該不會啊,有點奇怪 echo "svn admin: please add log messages!!!" >&2 #按照網上的說法,后面的>$2貌似不能省略,否則也會報錯 exit 1 #0代表正常,非0代表異常 fi USER=`$SVNLOOK author -t $TXN $REPOS` ADMINLIST=admin #擁有刪除文件權限的項目經理等人員,這里我只授權admin用戶 if [ "`echo $ADMINLIST|grep -w $USER|wc -l`" -eq 0 ];then if [ `$SVNLOOK changed -t $TXN $REPOS |grep "^D "|wc -l` -gt 0 ];then echo "svn admin: You Don't have the pemmision of delete!Please contact your administrator!" >&2 #echo里的是提示信息 exit 1 fi fi # All checks passed, so allow the commit. exit 0
四、使用bp用戶測試刪除操作(有時候會出現配置之后沒有生效的情況,可以嘗試在修改文件兩分鍾之后再進行測試)
如果不小心誤刪。可以在以下位置點擊被誤刪的文件右鍵,選擇revert恢復
五、提交時不添加log message
參考鏈接:http://blog.chinaunix.net/uid-29893597-id-5594571.html