policy.drush.inc

  1. 8.0.x examples/policy.drush.inc
  2. 6.x examples/policy.drush.inc
  3. 7.x examples/policy.drush.inc
  4. 4.x examples/policy.drush.inc
  5. 5.x examples/policy.drush.inc
  6. master examples/policy.drush.inc

Example policy commandfile. Modify as desired.

Validates commands as they are issued and returns an error or changes options when policy is violated.

You can copy this file to any of the following 1. A .drush folder in your HOME folder. 2. Anywhere in a folder tree below an active module on your site. 3. /usr/share/drush/commands (configurable) 4. In an arbitrary folder specified with the --include option. 5. Drupal's /drush or sites/all/drush folder, or in the /drush folder in the directory above the Drupal root (note: sql-sync validation won't work in any of these locations).

Functions

File

examples/policy.drush.inc
View source
  1. <?php
  2. /**
  3. * @file
  4. * Example policy commandfile. Modify as desired.
  5. *
  6. * Validates commands as they are issued and returns an error
  7. * or changes options when policy is violated.
  8. *
  9. * You can copy this file to any of the following
  10. * 1. A .drush folder in your HOME folder.
  11. * 2. Anywhere in a folder tree below an active module on your site.
  12. * 3. /usr/share/drush/commands (configurable)
  13. * 4. In an arbitrary folder specified with the --include option.
  14. * 5. Drupal's /drush or sites/all/drush folder, or in the /drush
  15. * folder in the directory above the Drupal root (note: sql-sync
  16. * validation won't work in any of these locations).
  17. */
  18. /**
  19. * Implements drush_hook_COMMAND_validate().
  20. *
  21. * Prevent catastrophic braino. Note that this file has to be local to the
  22. * machine that intitiates sql-sync command.
  23. */
  24. function drush_policy_sql_sync_validate($source = NULL, $destination = NULL) {
  25. if ($destination == '@prod') {
  26. return drush_set_error('POLICY_DENY', dt('Per examples/policy.drush.inc, you may never overwrite the production database.'));
  27. }
  28. }
  29. /**
  30. * Implements drush_hook_COMMAND_validate().
  31. *
  32. * We can also limit rsync operations to production sites.
  33. */
  34. function drush_policy_core_rsync_validate($source = NULL, $destination = NULL) {
  35. if (preg_match("/^@prod/", $destination)) {
  36. return drush_set_error('POLICY_DENY', dt('Per examples/policy.drush.inc, you may never rsync to the production site.'));
  37. }
  38. }
  39. /**
  40. * Implements hook_drush_sitealias_alter
  41. *
  42. * Alter alias record data in code.
  43. */
  44. function policy_drush_sitealias_alter(&$alias_record) {
  45. // A duplicate of the old implementation of the 'parent' element.
  46. // Keep this if you want to keep using 'parent', but do not want
  47. // to be nagged (or worse, break when it is removed).
  48. if (isset($alias_record['parent'])) {
  49. // Fetch and merge in each parent
  50. foreach (explode(',', $alias_record['parent']) as $parent) {
  51. $parent_record = drush_sitealias_get_record($parent);
  52. unset($parent_record['#name']);
  53. unset($parent_record['#file']);
  54. unset($parent_record['#hidden']);
  55. $array_based_keys = array_merge(drush_get_special_keys(), array('path-aliases'));
  56. foreach ($array_based_keys as $array_based_key) {
  57. if (isset($alias_record[$array_based_key]) && isset($parent_record[$array_based_key])) {
  58. $alias_record[$array_based_key] = array_merge($parent_record[$array_based_key], $alias_record[$array_based_key]);
  59. }
  60. }
  61. $alias_record = array_merge($parent_record, $alias_record);
  62. }
  63. unset($alias_record['parent']);
  64. }
  65. }
  66. php
  67. /**
  68. * Implements drush_hook_COMMAND_validate().
  69. *
  70. * Encourage folks to use `composer` instead of Drush pm commands
  71. */
  72. function drush_policy_pm_updatecode_validate() {
  73. return _deny_message();
  74. }
  75. function drush_policy_pm_update_validate() {
  76. return _deny_message();
  77. }
  78. function drush_policy_pm_download_validate() {
  79. return _deny_message();
  80. }
  81. function _deny_message() {
  82. if (!drush_get_option('pm-force')) {
  83. $msg = 'This codebase is assembled with Composer instead of Drush. Use `composer update` and `composer require` instead of `drush pm-updatecode` and `drush pm-download`. You may override this error by using the --pm-force option.';
  84. return drush_set_error('POLICY_PM_DENY', dt($msg));
  85. }
  86. }
  87. /**
  88. * Implements hook_drush_help_alter().
  89. *
  90. * When a hook extends a command with additional options, it must
  91. * implement help alter and declare the option(s). Doing so will add
  92. * the option to the help text for the modified command, and will also
  93. * allow the new option to be specified on the command line. Without
  94. * this, Drush will fail with an error when a user attempts to use
  95. * the option.
  96. */
  97. function policy_drush_help_alter($command) {
  98. if ($command['command'] == 'updatedb') {
  99. $command['options']['token'] = 'Per site policy, you must specify a token in the --token option for all commands.';
  100. }
  101. elseif (in_array($command['command'], array('pm-updatecode', 'pm-update', 'pm-download'))) {
  102. $command['options']['pm-force'] = 'Override site policy and allow Drush codebase management (pm-* commands)';
  103. }
  104. }
  105. /**
  106. * Implements drush_hook_COMMAND_validate().
  107. *
  108. * To test this example without copying, execute
  109. * `drush --include=./examples updatedb` from within your drush directory.
  110. *
  111. * Unauthorized users may view pending updates but not execute them.
  112. */
  113. function drush_policy_updatedb_validate() {
  114. // Check for a token in the request. In this case, we require --token=secret.
  115. if (!drush_get_option('token') == 'secret') {
  116. drush_log(dt('Per site policy, you must add a secret --token complete this command. See examples/policy.drush.inc. If you are running a version of drush prior to 4.3 and are not sure why you are seeing this message, please see http://drupal.org/node/1024824.'), 'warning');
  117. drush_set_context('DRUSH_AFFIRMATIVE', FALSE);
  118. drush_set_context('DRUSH_NEGATIVE', TRUE);
  119. }
  120. }
  121. /**
  122. * Implements drush_hook_COMMAND_validate().
  123. *
  124. * Only sudo tells me to make a sandwich: http://xkcd.com/149/
  125. */
  126. function drush_policy_make_me_a_sandwich_validate() {
  127. if (drush_is_windows()) {
  128. // $name = drush_get_username();
  129. // TODO: implement check for elevated process using w32api
  130. // as sudo is not available for Windows
  131. // @see http://php.net/manual/en/book.w32api.php
  132. // @see http://social.msdn.microsoft.com/Forums/en/clr/thread/0957c58c-b30b-4972-a319-015df11b427d
  133. }
  134. else {
  135. $name = posix_getpwuid(posix_geteuid());
  136. if ($name['name'] !== 'root') {
  137. return drush_set_error('POLICY_MAKE_IT_YOUSELF', dt('What? Make your own sandwich.'));
  138. }
  139. }
  140. }