diff options
authorSam Thursfield <>2015-06-05 15:32:57 +0100
committerBaserock Gerrit <>2015-11-19 15:05:45 +0000
commitd83ffbf8aa6fa7cb3a8c50b03b77d0c09a88ed04 (patch)
parent1ca53f11d302a7db3ef53e09ba7c259689a9cb83 (diff)
Allow tags to be pushed to the trove's own namespace in mirrored repos
Previously, when Trove mirrored an upstream repo, it would allow users to push branches as long as they started with the trove-id. The intention is to keep local changes in a separate namespace that can co-exist with whatever branches the upstream repo has. This patch extends this to tags, so that users can push tags to refs/tags/{{ trove-id}}/whatever. This is necessary for the `morph anchor` command to work as expected when the 'ref' fields of some definitions point to tag objects. Git itself prevents pushing tags to 'refs/heads/...' so `morph anchor` must be configured to push them to 'refs/tags/...'. Without this patch, Gitano will prevent that as well, but with this patch, `morph anchor` should be usable. Repos in the Trove's own prefix (such as the baserock/ repos on, or the foo-trove/ repos on a Trove with trove ID 'foo-trove') are the only ones not considered to be mirrors, and users can already push branches and tags wherever they want to in these repos. Change-Id: I06496ea6c5c57d3fae7e5750cf51e31bbd16d8d2
2 files changed, 5 insertions, 3 deletions
diff --git a/share/gitano/skel/gitano-admin/rules/defines.lace b/share/gitano/skel/gitano-admin/rules/defines.lace
index 466ac6f..16b6d96 100644
--- a/share/gitano/skel/gitano-admin/rules/defines.lace
+++ b/share/gitano/skel/gitano-admin/rules/defines.lace
@@ -100,7 +100,8 @@ define trove_site_admin group trove-admin
define target_group_gitano_admin targetgroup gitano-admin
define is_lorry user lorry
-define is_local_ref ref ~^refs/heads/{{ ESC_PREFIX }}/
+define is_local_branch ref ~^refs/heads/{{ ESC_PREFIX }}/
+define is_local_tag ref ~^refs/tags/{{ ESC_PREFIX }}/
define lorryable_repo allof !repo_is_local_project !repo_is_personal !is_admin_repo
define is_worker group workers
diff --git a/share/gitano/skel/gitano-admin/rules/other-project.lace b/share/gitano/skel/gitano-admin/rules/other-project.lace
index e5f05be..346718e 100644
--- a/share/gitano/skel/gitano-admin/rules/other-project.lace
+++ b/share/gitano/skel/gitano-admin/rules/other-project.lace
@@ -15,11 +15,12 @@ allow "Anyone may read here" op_read
allow "Anyone may write here" op_write !is_anonymous
# Lorry can do anything reffy which is not inside the local refs
-allow "Lorry may touch everything but refs/heads/{{ TROVE_ID }}" op_is_reffy is_lorry !is_local_ref
+allow "Lorry may touch everything but refs/heads/{{ TROVE_ID }} or refs/tags/{{ TROVE_ID }}" op_is_reffy is_lorry !is_local_branch !is_local_tag
# Noone can rewind/rebase outside of their personal refs
deny "Non-personal branches may not be rewound/rebased" op_forcedupdate !is_lorry !ref_is_personal
# Everyone else can do reffy things inside refs/heads/{{ TROVE_ID }}
-allow "Project writers may alter any refs" op_is_reffy !is_lorry is_local_ref
+allow "Project writers may alter any branches in the {{ TROVE_ID }} namespace" op_is_reffy !is_lorry is_local_branch
+allow "Project writers may alter any tags in the {{ TROVE_ID }} namespace" op_is_reffy !is_lorry is_local_tag