diff options
Diffstat (limited to 'gitano-admin/rules/project.lace')
-rw-r--r-- | gitano-admin/rules/project.lace | 32 |
1 files changed, 22 insertions, 10 deletions
diff --git a/gitano-admin/rules/project.lace b/gitano-admin/rules/project.lace index b09ad10..3144c64 100644 --- a/gitano-admin/rules/project.lace +++ b/gitano-admin/rules/project.lace @@ -1,10 +1,24 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# # Core project administration rules # Admins already got allowed, so this is for non-admin users only -allow "Owners can always read and write" op_is_basic is_owner +allow "Owners can always read and write" op_is_basic is_owner repo_is_personal -# Uncomment if you want to *force* anonymous access to all but gitano-admin -# allow "Anonymous access always allowed" op_read !is_admin_repo +# Force /baserock and /delta to always be anon-readable which means git:// will +# work. This is part of the core ruleset for Baserock because /baserock/ and +# /delta/ are always open source. +define is_baserock_repo repository ~^baserock/ +define is_delta_repo repository ~^delta/ +define is_opensource_repo anyof is_baserock_repo is_delta_repo + +allow "Anonymous access always allowed" op_read !is_admin_repo is_opensource_repo # Project remote-configuration rules (set-head etc) include global:remoteconfigchecks op_is_config @@ -12,11 +26,9 @@ include global:remoteconfigchecks op_is_config # Okay, if we're altering the admin ref, in we go include global:adminchecks is_admin_ref -# Now we're into branch operations. Owners can do any normal operation -# Normal ops are create/delete/fastforward on refs -allow "Owners can create refs" op_is_normal is_owner -# We don't enable non-fastforward updates by default. Projects must do -# this in their own rules if they want it. - +# Now we're into branch operations. +# Owners of personal repositories can do any reffy operation +allow "Owners can create refs" op_is_reffy is_owner repo_is_personal -include global:ct-project repo_has_project_code +include global:trove-project repo_is_local_project +include global:other-project !repo_is_personal !repo_is_local_project !is_admin_repo |