mirror of
https://projects.blender.org/infrastructure/gitea-custom.git
synced 2024-12-22 07:13:09 -05:00
Sphinx: simplify running process as another user
This commit is contained in:
Brecht Van Lommel
parent
968618dac3
commit
5c53375672
2 changed files with 7 additions and 18 deletions
|
|
@ -15,8 +15,7 @@ Add to Gitea app.ini.
|
|||
[markup.restructuredtext]
|
||||
ENABLED = true
|
||||
FILE_EXTENSIONS = .rst
|
||||
RENDER_COMMAND = "timeout 30s ./custom/sphinx/sphinx_to_html.py --user sphinx --user-work-dir /path/to/dir"
|
||||
IS_INPUT_FILE = true
|
||||
RENDER_COMMAND = timeout 30s sudo -u sphinx python3 ./custom/sphinx/sphinx_to_html.py
|
||||
|
||||
[markup.sanitizer.restructuredtext]
|
||||
ELEMENT = div
|
||||
|
|
@ -28,6 +27,6 @@ Add to Gitea app.ini.
|
|||
PREVIEWABLE_FILE_MODES = markdown,restructuredtext
|
||||
|
||||
The `sphinx` user is required for sandboxing of sphinx-build which we do not
|
||||
assume to be secure. The work directory should be writable by both the gitea
|
||||
user and sphinx user, with the sphinx user having as little access as possible
|
||||
to other directories.
|
||||
assume to be so secure that it should have access to all gitea data. This user
|
||||
needs read-only access to the custom/sphinx, and the user running gitea needs
|
||||
to be able to run a process as the `sphinx` user.
|
||||
|
|
|
|||
|
|
@ -10,11 +10,7 @@ import subprocess
|
|||
import sys
|
||||
import tempfile
|
||||
|
||||
parser = argparse.ArgumentParser(prog="sphinx_to_html")
|
||||
parser.add_argument("filename_rst", help="Input .rst file")
|
||||
parser.add_argument("--user", help="Run sphinx as another user", type=str)
|
||||
parser.add_argument("--user-work-dir", help="Do work in specified folder accessible by user", type=str)
|
||||
args = parser.parse_args()
|
||||
page_contents = sys.stdin.read()
|
||||
|
||||
base_url = "https://projects.blender.org"
|
||||
local_url = "http://localhost:3000"
|
||||
|
|
@ -44,15 +40,12 @@ else:
|
|||
image_url = ""
|
||||
|
||||
# Set up temporary directory with sphinx configuration.
|
||||
with tempfile.TemporaryDirectory(dir=args.user_work_dir) as tmp_dir:
|
||||
with tempfile.TemporaryDirectory() as tmp_dir:
|
||||
work_dir = pathlib.Path(tmp_dir) / "work"
|
||||
|
||||
script_dir = pathlib.Path(__file__).parent.resolve()
|
||||
shutil.copytree(script_dir / "template", work_dir)
|
||||
page_filepath = work_dir / "contents.rst"
|
||||
shutil.copyfile(args.filename_rst, page_filepath)
|
||||
|
||||
page_contents = page_filepath.read_text()
|
||||
|
||||
# Turn links into external links since internal links are not found and stripped.
|
||||
def path_to_label(path):
|
||||
|
|
@ -103,10 +96,7 @@ with tempfile.TemporaryDirectory(dir=args.user_work_dir) as tmp_dir:
|
|||
out_filepath = out_dir / "contents.html"
|
||||
|
||||
sphinx_cmd = ["sphinx-build", "-b", "html", work_dir, out_dir]
|
||||
if args.user:
|
||||
result = subprocess.run(sphinx_cmd, capture_output=True, user=args.user)
|
||||
else:
|
||||
result = subprocess.run(sphinx_cmd, capture_output=True)
|
||||
result = subprocess.run(sphinx_cmd, capture_output=True)
|
||||
|
||||
# Output errors.
|
||||
error = result.stderr.decode("utf-8", "ignore").strip()
|
||||
|
|
|
|||
Loading…
Reference in a new issue