Summary
This is a default-posture decision, not a code defect: in the default configuration, owner-push enforcement is off, so any authenticated (signed) non-owner DID can push to any repo. git_receive_pack rejects a non-owner push only when config.enforce_owner_push is set, and that flag defaults to false (GITLAWB_ENFORCE_OWNER_PUSH). The git-receive-pack POST requires some valid did:key signature (require_signature via add_auth_layers), but does not bind that signature to the repo owner unless an operator opts in.
This is deliberate, documented behavior (introduced opt-in by #68 / commit 0a15e76; the config comment says to keep it off during rolling upgrades and flip it on when owners are ready; there is a committed test asserting the default-off allow). Filing it to get an explicit maintainer decision on the default, not to report broken code.
Where
crates/gitlawb-node/src/api/repos.rs — git_receive_pack -> owner_push_rejection(config.enforce_owner_push, &repo, caller_did); owner_push_rejection returns None (no rejection) whenever the flag is off, regardless of caller.
crates/gitlawb-node/src/config.rs — enforce_owner_push defaults to false.
Confirmed by execution
owner_push_rejection(false, &repo, Some(STRANGER_DID)) returns None (a non-owner is not rejected when the flag is off). Verified by a throwaway unit test (reverted); a pre-existing committed test already documents the same default-off behavior.
Impact
A default-config node accepts pushes from any authenticated identity, not just the repo owner. Write integrity reduces to "holds a valid signature of any DID" rather than "is the repo owner." Branch protection still runs, but it only covers branches an owner explicitly protected and does not restore owner identity. With the receive-pack advertisement now read-parity (a granted reader can see the advertisement), this default surface is more visible.
Options
- Default
enforce_owner_push to true and let operators opt out for rolling upgrades (rather than opt in).
- Keep opt-in, but surface the default-off state in deployment docs and the startup log so operators consciously choose it.
- Gate the receive-pack POST on owner (or explicit writer grant) directly, independent of the flag.
Pre-existing; independent of the receive-pack advertisement fix (which only touches reads).
Summary
This is a default-posture decision, not a code defect: in the default configuration, owner-push enforcement is off, so any authenticated (signed) non-owner DID can push to any repo.
git_receive_packrejects a non-owner push only whenconfig.enforce_owner_pushis set, and that flag defaults tofalse(GITLAWB_ENFORCE_OWNER_PUSH). The git-receive-pack POST requires some validdid:keysignature (require_signatureviaadd_auth_layers), but does not bind that signature to the repo owner unless an operator opts in.This is deliberate, documented behavior (introduced opt-in by #68 / commit
0a15e76; the config comment says to keep it off during rolling upgrades and flip it on when owners are ready; there is a committed test asserting the default-off allow). Filing it to get an explicit maintainer decision on the default, not to report broken code.Where
crates/gitlawb-node/src/api/repos.rs—git_receive_pack->owner_push_rejection(config.enforce_owner_push, &repo, caller_did);owner_push_rejectionreturnsNone(no rejection) whenever the flag is off, regardless of caller.crates/gitlawb-node/src/config.rs—enforce_owner_pushdefaults tofalse.Confirmed by execution
owner_push_rejection(false, &repo, Some(STRANGER_DID))returnsNone(a non-owner is not rejected when the flag is off). Verified by a throwaway unit test (reverted); a pre-existing committed test already documents the same default-off behavior.Impact
A default-config node accepts pushes from any authenticated identity, not just the repo owner. Write integrity reduces to "holds a valid signature of any DID" rather than "is the repo owner." Branch protection still runs, but it only covers branches an owner explicitly protected and does not restore owner identity. With the receive-pack advertisement now read-parity (a granted reader can see the advertisement), this default surface is more visible.
Options
enforce_owner_pushtotrueand let operators opt out for rolling upgrades (rather than opt in).Pre-existing; independent of the receive-pack advertisement fix (which only touches reads).