From 9d15a00fde3119a8b4e26b02d66c3aa6a1c5d2c9 Mon Sep 17 00:00:00 2001
From: "kovacs.ferenc" <kovacs.ferenc@ustream.tv>
Date: Sun, 9 Aug 2015 18:09:45 +0200
Subject: [PATCH 1/2] protect master branches except for the pecl repos against
 force pushes

---
 hooks/pre-receive | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/hooks/pre-receive b/hooks/pre-receive
index 9613854..01dbd43 100755
--- a/hooks/pre-receive
+++ b/hooks/pre-receive
@@ -25,8 +25,9 @@ include 'Git/PreReceiveHook.php';
 
 $weKnowWhatWeAreDoing = ['dsp', 'johannes', 'tyrael'];
 // On restricted branches forced pushes are only possible by users listed in $weKnowWhatWeAreDoing
+// the master branch is always protected except for the pecl/ repos, see below
 $restrictedBranches =
-    ['php-src.git' => ['refs/heads/PHP-5.4', 'refs/heads/PHP-5.3', 'refs/heads/PHP-5.5', 'refs/heads/PHP-5.6', 'refs/heads/master'],
+    ['php-src.git' => ['refs/heads/PHP-5.4', 'refs/heads/PHP-5.3', 'refs/heads/PHP-5.5', 'refs/heads/PHP-5.6'],
      'playground.git' => ['refs/heads/dsp']];
 // On closed branches only RMs may push
 $closedBranches = [
@@ -153,8 +154,11 @@ if (isset($closedBranches[$repo_name])) {
 }
 
 $restricted = [];
+if (strpos($repo_name, 'pecl/') !== 0  && in_array('refs/heads/master', $pi->getBranches())) {
+	$restricted[] = 'refs/heads/master';
+}
 if (isset($restrictedBranches[$repo_name])) {
-    $restricted = array_filter($restrictedBranches[$repo_name],
+    $restricted += array_filter($restrictedBranches[$repo_name],
         function ($branch) use ($pi) {
             return in_array($branch, $pi->getBranches());
         });

From e8cd3b8ed569f42120f83db6933db3f29cede75c Mon Sep 17 00:00:00 2001
From: "kovacs.ferenc" <kovacs.ferenc@ustream.tv>
Date: Sun, 9 Aug 2015 19:30:42 +0200
Subject: [PATCH 2/2] fix the restricted branch appendion as pointed out by
 salathe

---
 hooks/pre-receive | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/hooks/pre-receive b/hooks/pre-receive
index 01dbd43..097a377 100755
--- a/hooks/pre-receive
+++ b/hooks/pre-receive
@@ -154,15 +154,15 @@ if (isset($closedBranches[$repo_name])) {
 }
 
 $restricted = [];
-if (strpos($repo_name, 'pecl/') !== 0  && in_array('refs/heads/master', $pi->getBranches())) {
-	$restricted[] = 'refs/heads/master';
-}
 if (isset($restrictedBranches[$repo_name])) {
-    $restricted += array_filter($restrictedBranches[$repo_name],
+    $restricted = array_filter($restrictedBranches[$repo_name],
         function ($branch) use ($pi) {
             return in_array($branch, $pi->getBranches());
         });
 }
+if (strpos($repo_name, 'pecl/') !== 0  && in_array('refs/heads/master', $pi->getBranches())) {
+	$restricted[] = 'refs/heads/master';
+}
 
 if (count($restricted) > 0 && $pi->isForced() && !in_array($user, $weKnowWhatWeAreDoing)) {
     deny("You are not allowed to overwrite commits on " . implode(', ', $restricted));