diff options
Diffstat (limited to 'gitano-admin/rules/siteadmin.lace')
-rw-r--r-- | gitano-admin/rules/siteadmin.lace | 36 |
1 files changed, 23 insertions, 13 deletions
diff --git a/gitano-admin/rules/siteadmin.lace b/gitano-admin/rules/siteadmin.lace index b3818ef..06c71bb 100644 --- a/gitano-admin/rules/siteadmin.lace +++ b/gitano-admin/rules/siteadmin.lace @@ -1,22 +1,32 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# # Site administration rules # You must explicitly allow site administration here for anyone who -# has the rights to do site admin but isn't a member of gitano-admin. +# has the rights to do site admin but isn't an administrator. -# ct_site_admin is a predicate which is for ct-admin -allow "CT Site Admins can manage users" ct_site_admin op_user -allow "CT Site Admins can manage groups other than gitano-admin" ct_site_admin op_group !target_group_gitano_admin +# trove_site_admin is a predicate which matches members of the trove-admin +# group (The site-wide user/group administration group which is not the full +# administration group) +allow "Trove Site Admins can manage users" trove_site_admin op_user +allow "Trove Site Admins can manage groups other than gitano-admin" trove_site_admin op_group !target_group_gitano_admin -# ctXXX-admins members are permitted to edit ctXXX-* groups -define ct_may_admin_target_group group ${targetgroup/prefix}-admins -define is_ct_project_target targetgroup ~^ct[0-9]+%- -allow "CT project admins can manage ctXXX- groups for their projects" op_group is_ct_project_target ct_may_admin_target_group +# XXX-managers members are permitted to edit XXX-* groups +define trove_may_admin_target_group group ${targetgroup/prefix}-managers +define target_group_has_hyphen targetgroup ~%- +allow "Trove project managers can manage the groups for their projects" op_group target_group_has_hyphen trove_may_admin_target_group -# Anyone is permitted to look at the people in ct-admin and ctXXX-admins -define ct_target_group_is_ct_admin targetgroup ct-admin -define ct_target_group_is_ctxxx_admins targetgroup ~^ct[0-9]+%-admins$ -define ct_show_target_ok anyof ct_target_group_is_ct_admin ct_target_group_is_ctxxx_admins -allow "Anyone may see admin groups" op_groupshow ct_show_target_ok +# Anyone is permitted to look at the people in trove-admin and *-managers +define trove_target_group_is_trove_admin targetgroup trove-admin +define trove_target_group_is_project_managers targetgroup ~^.+-managers$ +define trove_show_target_ok anyof trove_target_group_is_trove_admin trove_target_group_is_project_managers +allow "Anyone may see admin groups" op_groupshow trove_show_target_ok # Otherwise we always deny site administration deny "You may not perform site administration" |