Recognizing Insecure Drupal Code
And, why you shouldn't allow users to input a SQL operator!
03.23.2011 Technology and Innovation
If, like us, you find yourself running several development projects, you likely use some sort of a ticketing system to manage features, bugs, tasks, etc. and communicate with your clients. There are many, many options, ranging from proprietary commercial offerings like FogBugz and Jira, SaSS offerings like Unfuddle and Lighthouse, and open source tools such as Track, Bugzilla, Redmine, and Drupal’s own project module. Wikipedia has a great comparison of issue tracking systems. After much careful consideration, ThinkShout settled on Redmine due to it’s excellent interface, multi-project support, repository integration, rich feature set, and large install base.
But this post isn’t focused on Redmine, so I won’t go into too much detail about it. I will add that I’ve been using Redmine as my primary project management and communications tool for both clients and developers for about 2 years and am very happy with it. It doesn’t do everything perfectly, but makes it for by placing all the tools you need under one roof. Also worth watching is Chili Project, a recent fork of Redmine by some very prominent members of that community.
Redmine also does a great job associating commits with tickets. Using keywords in your commit message, you can close, resolve, or simply associate the commit with a ticket.
Enough said on that front. We also obviously need to host remote source control repositories, in our case git. GitHub is amazing in so many ways, and ThinkShout takes full advantage of it, but aside from the $100 monthly cost, which is not a huge deal, the workflow for setting up a project between Redmine and GitHub is less than ideal.
See what I mean, quite a PITA! Now imagine the team working on the project changes; you have to reassign roles on both Redmine and Github.
Wouldn’t it be great if we could simply create a project on Redmine, assign users to the developer role, and have the system automatically create the repository and manage access control? I thought so, and spent several days banging my head against the wall back in January when first setting up some of ThinkShout’s new infrastructure. It seemed simple enough. There are two key components. The first is Gitosis, which is essentially an access control layer written in Python that sits on top of git. On it’s own, it lets designated users manage access to git repositories through a master admin repository. That admin repository contains a conifguration file with projects, users, and their public keys. The other is the Gitosis Redmine plugin which manages the gitosis admin repository based on a projects users and roles. It also provides an interface in Redmine where users can upload their public keys, similar to GitHub.
Granted my Ruby and SysAdmin chops are very weak, so I’m not even sure what the exact problems were, but I do know I wasn't alone in my troubles getting this setup working properly. Also,
Call me a sissy, but I gave up and we stuck with good old GitHub.
A combination of things spurred me to give this another shot. There was an intriguing thread on Twitter about Gitosis/Redmine being the best solution for remote repository hosting, I came across an updated version of the Gitosis Redmine plugin, and, most importantly, I found an excellent guide which walks you through the process (thanks Greg Thornton). I used this guide just for the Gitosis / Redmine integration, as we already had Redmine running. There are lots of walk throughs dedicated to installing Redmine on its own. Turns out the key is using access control lists to determine which user has access to all the key files and directories, rather than trying to manage file and directory ownership without ACLs. Probably also fair to mention we were one public repository away from the $100/month plan on GitHub.
All said and done, we’re thrilled with our current setup which has greatly simplified our project workflow, condensing the 5 steps mentioned above into just one. Couldn’t recommend it more.
Questions? Comments? We want to know! Drop us a line and let’s start talking.Learn More