2 files changed, 5 insertions, 3 deletions

diff --git a/share/gitano/skel/gitano-admin/rules/defines.lace b/share/gitano/skel/gitano-admin/rules/defines.lace
index 466ac6f..16b6d96 100644
--- a/share/gitano/skel/gitano-admin/rules/defines.lace
+++ b/share/gitano/skel/gitano-admin/rules/defines.lace
@@ -100,7 +100,8 @@ define trove_site_admin group trove-admin
 define target_group_gitano_admin targetgroup gitano-admin
 
 define is_lorry user lorry
-define is_local_ref ref ~^refs/heads/{{ ESC_PREFIX }}/
+define is_local_branch ref ~^refs/heads/{{ ESC_PREFIX }}/
+define is_local_tag ref ~^refs/tags/{{ ESC_PREFIX }}/
 define lorryable_repo allof !repo_is_local_project !repo_is_personal !is_admin_repo
 
 define is_worker group workers
diff --git a/share/gitano/skel/gitano-admin/rules/other-project.lace b/share/gitano/skel/gitano-admin/rules/other-project.lace
index e5f05be..346718e 100644
--- a/share/gitano/skel/gitano-admin/rules/other-project.lace
+++ b/share/gitano/skel/gitano-admin/rules/other-project.lace
@@ -15,11 +15,12 @@ allow "Anyone may read here" op_read
 allow "Anyone may write here" op_write !is_anonymous
 
 # Lorry can do anything reffy which is not inside the local refs
-allow "Lorry may touch everything but refs/heads/{{ TROVE_ID }}" op_is_reffy is_lorry !is_local_ref
+allow "Lorry may touch everything but refs/heads/{{ TROVE_ID }} or refs/tags/{{ TROVE_ID }}" op_is_reffy is_lorry !is_local_branch !is_local_tag
 
 # Noone can rewind/rebase outside of their personal refs
 deny "Non-personal branches may not be rewound/rebased" op_forcedupdate !is_lorry !ref_is_personal
 
 # Everyone else can do reffy things inside refs/heads/{{ TROVE_ID }}
-allow "Project writers may alter any refs" op_is_reffy !is_lorry is_local_ref
+allow "Project writers may alter any branches in the {{ TROVE_ID }} namespace" op_is_reffy !is_lorry is_local_branch
+allow "Project writers may alter any tags in the {{ TROVE_ID }} namespace" op_is_reffy !is_lorry is_local_tag