hook: Send repository relative path to access check
During the execution of the prereceive hook, Gitaly makes a call to the
/allowed
endpoint on the GitLab API. This is done to perform access
checks which determine if the incoming objects, which are initially
quarantined, should be accepted into the repository.
As part of the access checks, the quarantined objects may need to be
visible to GitLab. To accommodate this, both GIT_OBJECT_DIRECTORY
and
GIT_ALTERNATE_OBJECT_DIRECTORIES
, which contain the main and
quarantined object directories, are provided to the access checks. This
enables quarantined objects in a repository to be visible during
downstream Gitaly calls.
With the new transaction management in Gitaly, this approach needs to be
adapted to support access checks on the transaction snapshot instead of
the original repository. To help facilitate this, the repository
relative path is now provided to the GitLab /allowed
endpoint. Future
changes to the GitLab API are required to use this additional parameter
to perform appropriate access checks.