Various tweaks for repository rules

6 files changed, 11 insertions, 4 deletions

diff --git a/gitano-admin/rules/createrepo.lace b/gitano-admin/rules/createrepo.lace
index 27583ae..bf4683e 100644
--- a/gitano-admin/rules/createrepo.lace
+++ b/gitano-admin/rules/createrepo.lace
@@ -17,7 +17,7 @@
 allow "Project admins may make project repositories" repo_is_local_project project_admin
 
 # Allow lorry to create repositories anywhere but the local project root
-allow "Lorry may create repositories anywhere but the local root" !repo_is_local_project is_lorry
+allow "Lorry may create lorryable repos" is_lorry lorryable_repo
 
 # Otherwise the default is that non-admins can't create repositories
 deny "Repository creation is not permitted."
diff --git a/gitano-admin/rules/defines.lace b/gitano-admin/rules/defines.lace
index d243afd..d24b858 100644
--- a/gitano-admin/rules/defines.lace
+++ b/gitano-admin/rules/defines.lace
@@ -98,5 +98,6 @@ define target_group_gitano_admin targetgroup gitano-admin
 
 define is_lorry user lorry
 define is_local_ref ref ~^refs/heads/##ESC_PREFIX##/
+define lorryable_repo allof !repo_is_local_project !repo_is_personal !is_admin_repo
 
 define is_worker group workers
diff --git a/gitano-admin/rules/destroyrepo.lace b/gitano-admin/rules/destroyrepo.lace
index 0b83212..6e6b446 100644
--- a/gitano-admin/rules/destroyrepo.lace
+++ b/gitano-admin/rules/destroyrepo.lace
@@ -14,4 +14,7 @@ allow "You may destroy your own repositories" is_owner repo_is_personal
 # Project admins may destroy repos inside their projects
 allow "Project admins may destroy project repos" repo_is_local_project project_admin
 
+# Allow lorry to destroy repositories anywhere but the local project root
+allow "Lorry may destroy lorryable repos" is_lorry lorryable_repo
+
 deny "You may not destroy repositories you do not own"
diff --git a/gitano-admin/rules/project.lace b/gitano-admin/rules/project.lace
index 862b8a3..aa5e1e2 100644
--- a/gitano-admin/rules/project.lace
+++ b/gitano-admin/rules/project.lace
@@ -12,7 +12,7 @@
 allow "Owners can always read and write" op_is_basic is_owner repo_is_personal
 
 # Any non-gitano-admin repo is readable to the lorry user and the worker group
-allow "Lorry may read" op_read !is_admin_repo is_lorry
+allow "Lorry may read" op_read is_lorry lorryable_repo
 allow "Workers may read" op_read !is_admin_repo is_worker
 
 # Force /baserock and /delta to always be anon-readable which means git:// will
@@ -35,4 +35,4 @@ include global:adminchecks is_admin_ref
 allow "Owners can create refs" op_is_reffy is_owner repo_is_personal
 
 include global:trove-project repo_is_local_project
-include global:other-project !repo_is_personal !repo_is_local_project !is_admin_repo
+include global:other-project lorryable_repo
diff --git a/gitano-admin/rules/remoteconfigchecks.lace b/gitano-admin/rules/remoteconfigchecks.lace
index d951f7a..6f88f5f 100644
--- a/gitano-admin/rules/remoteconfigchecks.lace
+++ b/gitano-admin/rules/remoteconfigchecks.lace
@@ -14,4 +14,7 @@ allow "Owners may remote-admin their repositories" is_owner repo_is_personal
 # *-admins may remote-admin their project's repositories
 allow "Project admins may admin project repos" repo_is_local_project project_admin
 
+# lorry may remote-admin lorryable repositories
+allow "Lorry may admin lorry repos" is_lorry lorryable_repo
+
 deny "You may not configure this repository remotely"
diff --git a/gitano-admin/rules/trove-project.lace b/gitano-admin/rules/trove-project.lace
index 86ff49b..c30e838 100644
--- a/gitano-admin/rules/trove-project.lace
+++ b/gitano-admin/rules/trove-project.lace
@@ -24,5 +24,5 @@ allow "Master may be altered" op_is_update master_ref
 deny "Master may not be deleted" op_deleteref master_ref
 
 ## Anything else.
-allow "Project writers may alter any refs" op_is_reffy !master_ref
+allow "Project writers may alter any refs" op_is_reffy !master_ref ct_writer