summaryrefslogtreecommitdiff
path: root/gitano-admin/rules/siteadmin.lace
diff options
context:
space:
mode:
Diffstat (limited to 'gitano-admin/rules/siteadmin.lace')
-rw-r--r--gitano-admin/rules/siteadmin.lace36
1 files changed, 23 insertions, 13 deletions
diff --git a/gitano-admin/rules/siteadmin.lace b/gitano-admin/rules/siteadmin.lace
index b3818ef..06c71bb 100644
--- a/gitano-admin/rules/siteadmin.lace
+++ b/gitano-admin/rules/siteadmin.lace
@@ -1,22 +1,32 @@
+# _____
+# |_ _| __ _____ _____
+# | || '__/ _ \ \ / / _ \
+# | || | | (_) \ V / __/
+# |_||_| \___/ \_/ \___|
+#
+# Copyright 2012 Codethink Limited
+#
# Site administration rules
# You must explicitly allow site administration here for anyone who
-# has the rights to do site admin but isn't a member of gitano-admin.
+# has the rights to do site admin but isn't an administrator.
-# ct_site_admin is a predicate which is for ct-admin
-allow "CT Site Admins can manage users" ct_site_admin op_user
-allow "CT Site Admins can manage groups other than gitano-admin" ct_site_admin op_group !target_group_gitano_admin
+# trove_site_admin is a predicate which matches members of the trove-admin
+# group (The site-wide user/group administration group which is not the full
+# administration group)
+allow "Trove Site Admins can manage users" trove_site_admin op_user
+allow "Trove Site Admins can manage groups other than gitano-admin" trove_site_admin op_group !target_group_gitano_admin
-# ctXXX-admins members are permitted to edit ctXXX-* groups
-define ct_may_admin_target_group group ${targetgroup/prefix}-admins
-define is_ct_project_target targetgroup ~^ct[0-9]+%-
-allow "CT project admins can manage ctXXX- groups for their projects" op_group is_ct_project_target ct_may_admin_target_group
+# XXX-managers members are permitted to edit XXX-* groups
+define trove_may_admin_target_group group ${targetgroup/prefix}-managers
+define target_group_has_hyphen targetgroup ~%-
+allow "Trove project managers can manage the groups for their projects" op_group target_group_has_hyphen trove_may_admin_target_group
-# Anyone is permitted to look at the people in ct-admin and ctXXX-admins
-define ct_target_group_is_ct_admin targetgroup ct-admin
-define ct_target_group_is_ctxxx_admins targetgroup ~^ct[0-9]+%-admins$
-define ct_show_target_ok anyof ct_target_group_is_ct_admin ct_target_group_is_ctxxx_admins
-allow "Anyone may see admin groups" op_groupshow ct_show_target_ok
+# Anyone is permitted to look at the people in trove-admin and *-managers
+define trove_target_group_is_trove_admin targetgroup trove-admin
+define trove_target_group_is_project_managers targetgroup ~^.+-managers$
+define trove_show_target_ok anyof trove_target_group_is_trove_admin trove_target_group_is_project_managers
+allow "Anyone may see admin groups" op_groupshow trove_show_target_ok
# Otherwise we always deny site administration
deny "You may not perform site administration"
View Lorry Controller Status