Destroying repositories ======================= Git, and Gitano for that matter, works hard to preserve information. However sometimes you need to destroy a repository. Perhaps it has been moved to another server, or you never wanted the repository in the first place. Gitano has a pair of commands for this, the first is the 'destroy' command. Failure pathways ---------------- SCENARIO repository destruction failure modes GIVEN a standard instance AND testinstance using adminkey has patched gitano-admin with personal-repo-create.patch AND testinstance, using adminkey, adds a new user alice, with a key called main We obviously can't destroy a repository that doesn't exist. WHEN alice main, expecting failure, runs destroy personal/alice/testrepo --force THEN stderr contains ERROR: Cannot destroy a repository which does not exist But the error message must be helpful and not an information leak. So if the user is permitted to know that repository exists we can tell them that it failed because it does not exist, but if the user is not permitted to know the repository exists, then we must tell them it failed because they weren't permitted. WHEN alice main, expecting failure, runs destroy gitano-admin --force THEN stderr does not contain ERROR: Cannot destroy a repository which does not exist AND stderr contains CRIT: You may not destroy repositories you do not own FINALLY the instance is torn down Destroying repositories successfully ------------------------------------ Repositories can, clearly, be destroyed however if the calling user has write access to them. Since in the default ruleset the owner of a repository has write access, owners can remove their own repositories. SCENARIO repository destruction GIVEN a standard instance AND testinstance using adminkey has patched gitano-admin with personal-repo-create.patch AND testinstance, using adminkey, adds a new user alice, with a key called main Repositories writable by the user can be destroyed by the user. WHEN alice main runs create personal/alice/testrepo AND alice main runs ls THEN stdout contains personal/alice/testrepo WHEN alice main runs destroy personal/alice/testrepo --force AND alice main runs ls THEN stdout does not contain personal/alice/testrepo Use of `--force` is dangerous as the user has no way of knowing whether another user pushed to the repository since they last used it. If not passed then the first time a destroy is attempted it provides a token, which will do the delete if the token is still valid when passed to destroy. WHEN alice main runs create personal/alice/testrepo AND alice main runs ls THEN stdout contains personal/alice/testrepo WHEN alice main runs destroy personal/alice/testrepo THEN stdout contains re-run your command with the following confirmation token Any changes which have been made to a repository will affect the token and so if metadata or any content refs are updated, the token will no longer match... GIVEN the token is saved as delete WHEN testinstance adminkey runs config personal/alice/testrepo set project.description Foo AND alice using main, expecting failure, destroys personal/alice/testrepo using the delete token THEN stderr contains ERROR: Confirmation token does not match, refusing to destroy This is to prevent deleting a repository that someone has just pushed to and losing their changes. FINALLY the instance is torn down