gitweb: Run git commands as a web user

Fixes #2306. Tested that all the gitweb tests pass in Debian stable and testing containers. Signed-off-by: Veiko Aasa <veiko17@disroot.org> Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
2026-01-21 07:55:00 +00:00 · 2022-12-28 16:54:44 +02:00 · 2022-12-28 16:54:44 +02:00 · b94e1ea596
commit b94e1ea596
parent d3d7e233e3
4 changed files with 14 additions and 9 deletions
--- a/plinth/modules/gitweb/init.py
+++ b/plinth/modules/gitweb/init.py
@ -15,7 +15,7 @@ from plinth.package import Packages

 from . import manifest, privileged
 from .forms import is_repo_url
-from .manifest import GIT_REPO_PATH
+from .manifest import GIT_REPO_PATH, REPO_DIR_OWNER

 _description = [
    _('Git is a distributed version-control system for tracking changes in '
@ -213,7 +213,7 @@ def get_repo_list():

 def repo_info(repo):
    """Get information about repository."""
-    info = privileged.repo_info(repo)
+    info = privileged.repo_info(repo, _run_as_user=REPO_DIR_OWNER)
    if info['access'] == 'private':
        info['is_private'] = True
    else:
@ -244,4 +244,5 @@ def edit_repo(form_initial, form_cleaned):
            privileged.set_repo_access(repo, 'public')

    if form_cleaned['default_branch'] != form_initial['default_branch']:
-        privileged.set_default_branch(repo, form_cleaned['default_branch'])
+        privileged.set_default_branch(repo, form_cleaned['default_branch'],
+                                      _run_as_user=REPO_DIR_OWNER)
--- a/plinth/modules/gitweb/forms.py
+++ b/plinth/modules/gitweb/forms.py
@ -14,11 +14,12 @@ from django.utils.translation import gettext_lazy as _
 from plinth.modules import gitweb

 from . import privileged
+from .manifest import REPO_DIR_OWNER


 def _get_branches(repo):
    """Get all the branches in the repository."""
-    branch_data = privileged.get_branches(repo)
+    branch_data = privileged.get_branches(repo, _run_as_user=REPO_DIR_OWNER)
    default_branch = branch_data['default_branch']
    branches = branch_data['branches']

--- a/plinth/modules/gitweb/manifest.py
+++ b/plinth/modules/gitweb/manifest.py
@ -4,6 +4,7 @@ from django.utils.translation import gettext_lazy as _

 CONFIG_FILE = '/etc/gitweb-freedombox.conf'
 GIT_REPO_PATH = '/var/lib/git'
+REPO_DIR_OWNER = 'www-data'

 clients = [
    {
--- a/plinth/modules/gitweb/privileged.py
+++ b/plinth/modules/gitweb/privileged.py
@ -13,7 +13,7 @@ from typing import Any, Optional
 from plinth import action_utils
 from plinth.actions import privileged
 from plinth.modules.gitweb.forms import RepositoryValidator, get_name_from_url
-from plinth.modules.gitweb.manifest import GIT_REPO_PATH
+from plinth.modules.gitweb.manifest import GIT_REPO_PATH, REPO_DIR_OWNER

 logger = logging.getLogger(__name__)

@ -166,8 +166,9 @@ def _clone_repo(url: str, description: str, owner: str, keep_ownership: bool):

    shutil.rmtree(repo_temp_path)
    if not keep_ownership:
-        subprocess.check_call(['chown', '-R', 'www-data:www-data', repo],
-                              cwd=GIT_REPO_PATH)
+        subprocess.check_call(
+            ['chown', '-R', f'{REPO_DIR_OWNER}:{REPO_DIR_OWNER}', repo],
+            cwd=GIT_REPO_PATH)

    _set_repo_description(repo, description)
    _set_repo_owner(repo, owner)
@ -180,8 +181,9 @@ def _create_repo(repo: str, description: str, owner: str, is_private: bool,
        subprocess.check_call(['git', 'init', '-q', '--bare', repo],
                              cwd=GIT_REPO_PATH)
        if not keep_ownership:
-            subprocess.check_call(['chown', '-R', 'www-data:www-data', repo],
-                                  cwd=GIT_REPO_PATH)
+            subprocess.check_call(
+                ['chown', '-R', f'{REPO_DIR_OWNER}:{REPO_DIR_OWNER}', repo],
+                cwd=GIT_REPO_PATH)
        _set_repo_description(repo, description)
        _set_repo_owner(repo, owner)
        if is_private: