diff options
| author | Daniel Silverstone <daniel.silverstone@codethink.co.uk> | 2012-09-07 17:02:09 +0100 |
|---|---|---|
| committer | Daniel Silverstone <daniel.silverstone@codethink.co.uk> | 2012-09-07 17:02:09 +0100 |
| commit | 57f53edd217b06031cfa003c620b553292ebd5e7 (patch) | |
| tree | d1ed82e5aff8e771b37071911ca7ad32b24ba0d0 /gitano-admin/rules/project.lace | |
| parent | fb652434121c382fc622845ec714c2a14f2fde58 (diff) | |
| download | trove-setup-57f53edd217b06031cfa003c620b553292ebd5e7.tar.gz | |
Update ruleset
Diffstat (limited to 'gitano-admin/rules/project.lace')
| -rw-r--r-- | gitano-admin/rules/project.lace | 32 |
1 files changed, 22 insertions, 10 deletions
diff --git a/gitano-admin/rules/project.lace b/gitano-admin/rules/project.lace index b09ad10..3144c64 100644 --- a/gitano-admin/rules/project.lace +++ b/gitano-admin/rules/project.lace @@ -1,10 +1,24 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# # Core project administration rules # Admins already got allowed, so this is for non-admin users only -allow "Owners can always read and write" op_is_basic is_owner +allow "Owners can always read and write" op_is_basic is_owner repo_is_personal -# Uncomment if you want to *force* anonymous access to all but gitano-admin -# allow "Anonymous access always allowed" op_read !is_admin_repo +# Force /baserock and /delta to always be anon-readable which means git:// will +# work. This is part of the core ruleset for Baserock because /baserock/ and +# /delta/ are always open source. +define is_baserock_repo repository ~^baserock/ +define is_delta_repo repository ~^delta/ +define is_opensource_repo anyof is_baserock_repo is_delta_repo + +allow "Anonymous access always allowed" op_read !is_admin_repo is_opensource_repo # Project remote-configuration rules (set-head etc) include global:remoteconfigchecks op_is_config @@ -12,11 +26,9 @@ include global:remoteconfigchecks op_is_config # Okay, if we're altering the admin ref, in we go include global:adminchecks is_admin_ref -# Now we're into branch operations. Owners can do any normal operation -# Normal ops are create/delete/fastforward on refs -allow "Owners can create refs" op_is_normal is_owner -# We don't enable non-fastforward updates by default. Projects must do -# this in their own rules if they want it. - +# Now we're into branch operations. +# Owners of personal repositories can do any reffy operation +allow "Owners can create refs" op_is_reffy is_owner repo_is_personal -include global:ct-project repo_has_project_code +include global:trove-project repo_is_local_project +include global:other-project !repo_is_personal !repo_is_local_project !is_admin_repo |