HomePhabricator

Reject dangerous changes in Git repositories by default

Authored by epriestley on Dec 3 2013, 6:28 PM.

Description

Reject dangerous changes in Git repositories by default

Summary: Ref T4189. This adds a per-repository "dangerous changes" flag, which defaults to off. This flag must be enabled to do non-appending branch mutation (delete branches / rewrite history).

Test Plan:
With flag on and off, performed various safe and dangerous pushes.

>>> orbital ~/repos/POEMS $ git push origin :blarp
remote: +---------------------------------------------------------------+
remote: |      * * * PUSH REJECTED BY EVIL DRAGON BUREAUCRATS * * *     |
remote: +---------------------------------------------------------------+
remote:             \
remote:              \                    ^    /^
remote:               \                  / \  // \
remote:                \   |\___/|      /   \//  .\
remote:                 \  /V  V  \__  /    //  | \ \           *----*
remote:                   /     /  \/_/    //   |  \  \          \   |
remote:                   @___@`    \/_   //    |   \   \         \/\ \
remote:                  0/0/|       \/_ //     |    \    \         \  \
remote:              0/0/0/0/|        \///      |     \     \       |  |
remote:           0/0/0/0/0/_|_ /   (  //       |      \     _\     |  /
remote:        0/0/0/0/0/0/`/,_ _ _/  ) ; -.    |    _ _\.-~       /   /
remote:                    ,-}        _      *-.|.-~-.           .~    ~
remote:   \     \__/        `/\      /                 ~-. _ .-~      /
remote:    \____(Oo)           *.   }            {                   /
remote:    (    (--)          .----~-.\        \-`                 .~
remote:    //__\\  \ DENIED!  ///.----..<        \             _ -~
remote:   //    \\               ///-._ _ _ _ _ _ _{^ - - - - ~
remote:
remote:
remote: DANGEROUS CHANGE: The change you're attempting to push deletes the branch 'blarp'.
remote: Dangerous change protection is enabled for this repository.
remote: Edit the repository configuration before making dangerous changes.
remote:
To ssh://dweller@localhost/diffusion/POEMS/
 ! [remote rejected] blarp (pre-receive hook declined)
error: failed to push some refs to 'ssh://dweller@localhost/diffusion/POEMS/'

Reviewers: btrahan

Reviewed By: btrahan

CC: aran, chad, richardvanvelzen

Maniphest Tasks: T4189

Differential Revision: https://secure.phabricator.com/D7689

Event Timeline

is this per user or project?

This is per-repository.

The primary intent is to stop this sort of thing by default (mass accidental --force push to many remotes which is extremely hard to recover from):

https://news.ycombinator.com/item?id=6713742

that was quick.. ;-) great to see, that was "a blocker" before to use hosted repos here. however would be great to allow the seniors to do the "dangerous stuff" in the sense gitolite is doing it. The go really far with RegEx based policies for branch names... Don't know we need to go so far in phabricator?

See T4195.

You could also just let the senior engineers edit the repository, which lets them disable this protection if they need to do something dangerous, and also lets them fix other types of issues.

Thanks, I see how it relates to each other... Nice step forward anyway, Thanks...