diff options
author | Pedro Alvarez <pedro.alvarez@codethink.co.uk> | 2014-07-14 15:10:09 +0000 |
---|---|---|
committer | Pedro Alvarez <pedro.alvarez@codethink.co.uk> | 2014-07-14 15:10:09 +0000 |
commit | 160fd3f2f1d372751836c0073bdc944df1cfbb91 (patch) | |
tree | d6b46ce1ec600400883e53b82e12b390fa73f262 /share/gitano/skel/gitano-admin/rules/project.lace | |
parent | eafba37e2bfc3897e3e7f65f2ce087fbee358f43 (diff) | |
parent | d349c9a35d3d53ebfc9f26df373e84fa5986a1b6 (diff) | |
download | trove-setup-160fd3f2f1d372751836c0073bdc944df1cfbb91.tar.gz |
Merge branch 'baserock/pedroalvarez/trove-ansible3'
Reviewed-by: Richard Maw
Reviewed-by: Lars Wirzenius
Diffstat (limited to 'share/gitano/skel/gitano-admin/rules/project.lace')
-rw-r--r-- | share/gitano/skel/gitano-admin/rules/project.lace | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/share/gitano/skel/gitano-admin/rules/project.lace b/share/gitano/skel/gitano-admin/rules/project.lace new file mode 100644 index 0000000..aa5e1e2 --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/project.lace @@ -0,0 +1,38 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Core project administration rules + +# Admins already got allowed, so this is for non-admin users only +allow "Owners can always read and write" op_is_basic is_owner repo_is_personal + +# Any non-gitano-admin repo is readable to the lorry user and the worker group +allow "Lorry may read" op_read is_lorry lorryable_repo +allow "Workers may read" op_read !is_admin_repo is_worker + +# Force /baserock and /delta to always be anon-readable which means git:// will +# work. This is part of the core ruleset for Baserock because /baserock/ and +# /delta/ are always open source. +define is_baserock_repo repository ~^baserock/ +define is_delta_repo repository ~^delta/ +define is_opensource_repo anyof is_baserock_repo is_delta_repo + +allow "Anonymous access always allowed" op_read !is_admin_repo is_opensource_repo + +# Project remote-configuration rules (set-head etc) +include global:remoteconfigchecks op_is_config + +# Okay, if we're altering the admin ref, in we go +include global:adminchecks is_admin_ref + +# Now we're into branch operations. +# Owners of personal repositories can do any reffy operation +allow "Owners can create refs" op_is_reffy is_owner repo_is_personal + +include global:trove-project repo_is_local_project +include global:other-project lorryable_repo |