SVN pre-commit hook for avoiding changes to tags subdirectories

Question

Hi,

Is there anybody who has clear instructions on how to add a pre-commit hook that avoids changes to tags subdirectories?

I already searched the internet quite a bit. I found this link: http://search.cpan.org/~gnustavo/SVN-Hooks-0.13.11/lib/SVN/Hooks/DenyChanges.pm , but I can't seem to compile things.

regards,

Wim

Answer 1

Following those instructions, I get the following error when I try to commit something:

svn: Commit failed (details follow): svn: Commit blocked by pre-commit hook (exit code 2) with output: Can't locate SVN/Hooks.pm in @INC (@INC contains: /etc/perl /usr/local/lib/perl/5.10.0 /usr/local/share/perl/5.10.0 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.10 /usr/share/perl/5.10 /usr/local/lib/site_perl .) at /home/svn/tmsng/hooks/pre-commit line 5. BEGIN failed--compilation aborted at /home/svn/tmsng/hooks/pre-commit line 5.

I probably need to edit @INC somewhere to include the dir where I downloaded the files?

regards,

Wim

Edit: I copied the SVN dir containing Hooks.pm manually to /etc/perl and now I get the following exception:

svn: Commit failed (details follow): svn: Commit blocked by pre-commit hook (exit code 2) with output: Can't locate SVN/Look.pm in @INC (@INC contains: /etc/perl /usr/local/lib/perl/5.10.0 /usr/local/share/perl/5.10.0 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.10 /usr/share/perl/5.10 /usr/local/lib/site_perl .) at /etc/perl/SVN/Hooks.pm line 7. BEGIN failed--compilation aborted at /etc/perl/SVN/Hooks.pm line 7. Compilation failed in require at /home/svn/tmsng/hooks/pre-commit line 5. BEGIN failed--compilation aborted at /home/svn/tmsng/hooks/pre-commit line 5.

However, Look.pm is nowhere to be found...

Answer 2

I should have known google was my friend. Look.pm can be downloaded here: http://cpansearch.perl.org/src/GNUSTAVO/SVN-Look-0.13.463/lib/SVN/Look.pm

Manually copying this into /etc/perl/SVN makes the error go away. However, I can still commit files in the tags dir...

Answer 3

Pretty late to the party, however I wrote a python pre-commit hook for work which is based off the log-police.py script on http://subversion.tigris.org/.

This script should do what you want, however it also checks that a log message exists, though that should be easy to remove from the script.

Some caveats:

• I'm new to Python, so it most likely could be written better
• It has only been tested on Windows 2003 with Python 2.5 and Subversion 1.4.

Requirements:

• Subversion
• Python
• Subversion bindings for Python

Finally, the code:

#!/usr/bin/env python

#
# pre-commit.py:
#
# Performs the following:
#  - Makes sure the author has entered in a log message.
#  - Make sure author is only creating a tag, or if deleting a tag, author is a specific user
#
# Script based on http://svn.collab.net/repos/svn/trunk/tools/hook-scripts/log-police.py
#
# usage: pre-commit.py -t TXN_NAME REPOS
# E.g. in pre-commit.bat (under Windows)
#   python.exe {common_hooks_dir}\pre_commit.py -t %2 %1
#


import os
import sys
import getopt
try:
  my_getopt = getopt.gnu_getopt
except AttributeError:
  my_getopt = getopt.getopt

import re

import svn
import svn.fs
import svn.repos
import svn.core

#
# Check Tags functionality
#
def check_for_tags(txn):
  txn_root = svn.fs.svn_fs_txn_root(txn)
  changed_paths = svn.fs.paths_changed(txn_root)
  for path, change in changed_paths.iteritems():
    if is_path_within_a_tag(path): # else go to next path
      if is_path_a_tag(path):
        if (change.change_kind == svn.fs.path_change_delete):
          if not is_txn_author_allowed_to_delete(txn):
            sys.stderr.write("\nOnly an administrator can delete a tag.\n\nContact your Subversion Administrator for details.")
            return False
        elif (change.change_kind != svn.fs.path_change_add):
          sys.stderr.write("\nUnable to modify " + path + ".\n\nIt is within a tag and tags are read-only.\n\nContact your Subversion Administrator for details.")
          return False
        # else user is adding a tag, so accept this change
      else:
        sys.stderr.write("\nUnable to modify " + path + ".\n\nIt is within a tag and tags are read-only.\n\nContact your Subversion Administrator for details.")
        return False
  return True

def is_path_within_a_tag(path):
  return re.search('(?i)\/tags\/', path)

def is_path_a_tag(path):
  return re.search('(?i)\/tags\/[^\/]+\/?$', path)

def is_txn_author_allowed_to_delete(txn):
  author = get_txn_property(txn, 'svn:author')
  return (author == 'bob.smith')

#
# Check log message functionality
#
def check_log_message(txn):
  log_message = get_txn_property(txn, "svn:log")
  if log_message is None or log_message.strip() == "":
    sys.stderr.write("\nCannot enter in empty commit message.\n")
    return False
  else:
    return True

def get_txn_property(txn, prop_name):
  return svn.fs.svn_fs_txn_prop(txn, prop_name)

def usage_and_exit(error_msg=None):
  import os.path
  stream = error_msg and sys.stderr or sys.stdout
  if error_msg:
    stream.write("ERROR: %s\n\n" % error_msg)
  stream.write("USAGE: %s -t TXN_NAME REPOS\n"
               % (os.path.basename(sys.argv[0])))
  sys.exit(error_msg and 1 or 0)

def main(ignored_pool, argv):
  repos_path = None
  txn_name = None

  try:
    opts, args = my_getopt(argv[1:], 't:h?', ["help"])
  except:
    usage_and_exit("problem processing arguments / options.")
  for opt, value in opts:
    if opt == '--help' or opt == '-h' or opt == '-?':
      usage_and_exit()
    elif opt == '-t':
      txn_name = value
    else:
      usage_and_exit("unknown option '%s'." % opt)

  if txn_name is None:
    usage_and_exit("must provide -t argument")
  if len(args) != 1:
    usage_and_exit("only one argument allowed (the repository).")

  repos_path = svn.core.svn_path_canonicalize(args[0])

  fs = svn.repos.svn_repos_fs(svn.repos.svn_repos_open(repos_path))
  txn = svn.fs.svn_fs_open_txn(fs, txn_name)

  if check_log_message(txn) and check_for_tags(txn):
    sys.exit(0)
  else:
    sys.exit(1)

if __name__ == '__main__':
  sys.exit(svn.core.run_app(main, sys.argv))

Answer 4

Here is a short shell script to prevent committing to tags after they have been created:

#!/bin/sh

REPOS="$1"
TXN="$2"

SVNLOOK=/usr/bin/svnlook

# Committing to tags is not allowed
$SVNLOOK changed -t "$TXN" "$REPOS" | grep "^U\W*tags" && /bin/echo "Cannot commit to tags!" 1>&2 && exit 1

# All checks passed, so allow the commit.
exit 0

Save this at hooks/pre-commit for your Subversion repository and make it executable with chmod +x.

Answer 5

I don't have enough reputation to "comment" on Raim's answer above, but his worked great, with one exception, his grep pattern is wrong.

I simply used the below as my pre-commit hook (I didn't have an existing one, you'd need to merge in that case):

#!/bin/sh

REPOS="$1"
TXN="$2"

SVNLOOK=/opt/local/bin/svnlook

# Committing to tags is not allowed
$SVNLOOK changed -t "$TXN" "$REPOS" | grep "^U\W.*\/tags\/" && /bin/echo "Cannot commit to tags!" 1>&2 && exit 1

# All checks passed, so allow the commit.
exit 0

The only problem with Raim's grep pattern is that it only matched "tags" if it was at the "root" of your repo. Since I have several projects in my repo, the script as he wrote it allowed commits on tag branches.

Also, be sure to chmod +x as indicated, otherwise you'll think it worked b/c the commit failed, but it failed b/c it couldn't exec the pre-commit hook, not because the hook worked.

This was really great, thanks Raim. Much better and lighter weight than all other suggestions as it has no dependencies!

Answer 6

The script above from Raim is unfortunately not working for me. Either I'm doing something wrong or there is a use-case which is not covered.

The initial creation of the tag should be permitted (works ok)

$ svn copy https://myrepo/svn/myproject/branch/mybranch https://myrepo/svn/myproject/tags/tag_1

But, the below mutation of the tag still works for me with the above hook.

$ svn copy https://myrepo/svn/myproject/branch/myroguebranch https://myrepo/svn/myproject/tags/tag_1/injected

It gladly permits the injection of additional "code" into the existing tag.

Answer 7

This anwser is a lot after date, but I discovered the --copy-info parameter for the svnlook changed command.

The output of this command adds a '+' in the third column, so you know it is a copy. You can check for commits to the tags directory, and only allow commits with a '+' present.

I've added some output in my blog post.

Answer 8

Here is my windows batch file pre-commit hook. If the user is an administrator the other checks will be skipped. It checks if the commit message is empty, and if the commit is to a tag. Note: findstr is a nerfed alternative to grep on other platforms.

The way it checks if the commit is to a tag, it first checks if svnlook changed contains "tags/". It then checks if svnlook changed matches "^A.tags/[^/]/$", which means that it will check if you are adding a new folder under tags/.

Users are allowed to create new projects. The pre-commit hook allows a user to create the folders trunk/ tags/ and branches/. Users are not allowed to delete the folders trunk/ tags/ and branches/. This will work for a single or multi-project repository.

 @echo off
 rem This pre-commit hook will block commits with no log messages and blocks commits on tags.
 rem Users may create tags, but not modify them.
 rem If the user is an Administrator the commit will succeed.

 rem Specify the username of the repository administrator
 rem commits by this user are not checked for comments or tags
 rem Recommended to change the Administrator only when an admin commit is neccessary
 rem then reset the Administrator after the admin commit is complete
 rem this way the admin user is only an administrator when neccessary
 set Administrator=Administrator

 setlocal

 rem Subversion sends through the path to the repository and transaction id.
 set REPOS=%1%
 set TXN=%2%

 :Main
 rem check if the user is an Administrator
 svnlook author %REPOS% -t %TXN% | findstr /r "^%Administrator%$" >nul
 if %errorlevel%==0 (exit 0)

 rem Check if the commit has an empty log message
 svnlook log %REPOS% -t %TXN% | findstr . > nul
 if %errorlevel% gtr 0 (goto CommentError)

 rem Block deletion of branches and trunk
 svnlook changed %REPOS% -t %TXN% | findstr /r "^D.*trunk/$ ^D.*branches/$" >nul
 if %errorlevel%==0 (goto DeleteBranchTrunkError)

 rem Check if the commit is to a tag
 svnlook changed %REPOS% -t %TXN% | findstr /r "^.*tags/" >nul
 if %errorlevel%==0 (goto TagCommit)
 exit 0

 :DeleteBranchTrunkError
 echo. 1>&2
 echo Trunk/Branch Delete Error: 1>&2
 echo     Only an Administrator may delete the branches or the trunk. 1>&2
 echo Commit details: 1>&2
 svnlook changed %REPOS% -t %TXN% 1>&2
 exit 1

 :TagCommit
 rem Check if the commit is creating a subdirectory under tags/ (tags/v1.0.0.1)
 svnlook changed %REPOS% -t %TXN% | findstr /r "^A.*tags/[^/]*/$" >nul
 if %errorlevel% gtr 0 (goto CheckCreatingTags)
 exit 0

 :CheckCreatingTags
 rem Check if the commit is creating a tags/ directory
 svnlook changed %REPOS% -t %TXN% | findstr /r "^A.*tags/$" >nul
 if %errorlevel% == 0 (exit 0)
 goto TagsCommitError

 :CommentError
 echo. 1>&2
 echo Comment Error: 1>&2
 echo     Your commit has been blocked because you didn't enter a comment. 1>&2
 echo     Write a log message describing your changes and try again. 1>&2
 exit 1

 :TagsCommitError
 echo. 1>&2
 echo %cd% 1>&2
 echo Tags Commit Error: 1>&2
 echo     Your commit to a tag has been blocked. 1>&2
 echo     You are only allowed to create tags. 1>&2
 echo     Tags may only be modified by an Administrator. 1>&2
 echo Commit details: 1>&2
 svnlook changed %REPOS% -t %TXN% 1>&2
 exit 1