Hi all,
I would like to get two +1's to add the following cron job to hosted03. This will give us an overview of which trac projects have anonymous ticket editing or creation.
From 0443e6d8eff85b3e09f6218a24410c0a32217ff8 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk puiterwijk@redhat.com Date: Wed, 10 Sep 2014 19:59:52 +0000 Subject: [PATCH] Anonymous trac permission check
--- manifests/services/hosted.pp | 1 + modules/scripts/files/trac-anonymous-check.sh | 12 ++++++++++++ modules/scripts/manifests/init.pp | 18 ++++++++++++++++++ 3 files changed, 31 insertions(+), 0 deletions(-) create mode 100644 modules/scripts/files/trac-anonymous-check.sh
diff --git a/manifests/services/hosted.pp b/manifests/services/hosted.pp index 5540613..8b8b533 100644 --- a/manifests/services/hosted.pp +++ b/manifests/services/hosted.pp @@ -19,6 +19,7 @@ class hosted { include hotfix::python-fedora-django include cgit::cgit include cgit::clean-lock-cron + include scripts::trac-anonymous-check
reviewboard::server { '/reviewboard/': secret_key => $reviewboardsecretkey, diff --git a/modules/scripts/files/trac-anonymous-check.sh b/modules/scripts/files/trac-anonymous-check.sh new file mode 100644 index 0000000..9e7268d --- /dev/null +++ b/modules/scripts/files/trac-anonymous-check.sh @@ -0,0 +1,12 @@ +#!/bin/bash +for project in `ls /srv/web/trac/projects`; +do + PERMISSIONS="`sqlite3 /srv/web/trac/projects/$project/db/trac.db "select action from permission where username='anonymous';" | grep 'CREATE|APPEND|EDIT|MODIFY'`" + if [ "" != "$PERMISSIONS" ]; + then + echo -n $project + echo -n ": " + echo $PERMISSIONS + echo "------" + fi +done diff --git a/modules/scripts/manifests/init.pp b/modules/scripts/manifests/init.pp index befff2d..3f85baf 100644 --- a/modules/scripts/manifests/init.pp +++ b/modules/scripts/manifests/init.pp @@ -17,6 +17,24 @@ class scripts::buildSB1Indexes {
}
+class scripts::trac-anonymous-check { + + file { '/usr/local/bin/trac-anonymous-check.sh': + source => 'puppet:///scripts/trac-anonymous-check.sh', + mode => '0755' + } + + cron { trac-anonymous-check: + command => "/usr/local/bin/trac-anonymous-check.sh", + user => "root", + minute => 0, + hour => 0, + ensure => present, + require => File['/usr/local/bin/trac-anonymous-check.sh'] + } + +} + class scripts::confineSsh {
file { '/usr/local/bin/confine-ssh.sh':
A few inline comments about the .sh file.
On 09/10/2014 04:09 PM, Patrick Uiterwijk wrote:
@@ -0,0 +1,12 @@ +#!/bin/bash +for project in `ls /srv/web/trac/projects`;
Probably better to iterate over a glob instead, to handle weird filenames. They shouldn't exist, but it is always a possibility and something could go weird if they do.
+do
- PERMISSIONS="`sqlite3 /srv/web/trac/projects/$project/db/trac.db "select action from permission where username='anonymous';" | grep 'CREATE|APPEND|EDIT|MODIFY'`"
- if [ "" != "$PERMISSIONS" ];
- then
echo -n $project
Double-quote $project to prevent accidental globbing.
echo -n ": "
echo $PERMISSIONS
Same here with $PERMISSIONS.
And (less important), backtick syntax is deprecated, prefer $(...) instead. See http://mywiki.wooledge.org/BashFAQ/082.
+1 after everything except the backtick syntax (which I don't consider a blocker but should be easy to fix if you feel like it).
-Ricky
infrastructure@lists.fedoraproject.org