diff options
Diffstat (limited to 'gitano-admin')
-rw-r--r-- | gitano-admin/groups/workers.conf | 1 | ||||
-rw-r--r-- | gitano-admin/rules/defines.lace | 2 | ||||
-rw-r--r-- | gitano-admin/rules/project.lace | 4 | ||||
-rw-r--r-- | gitano-admin/users/lorry/user.conf | 2 |
4 files changed, 9 insertions, 0 deletions
diff --git a/gitano-admin/groups/workers.conf b/gitano-admin/groups/workers.conf new file mode 100644 index 0000000..1c84acf --- /dev/null +++ b/gitano-admin/groups/workers.conf @@ -0,0 +1 @@ +description "Workers who have read-access to everything" diff --git a/gitano-admin/rules/defines.lace b/gitano-admin/rules/defines.lace index 402190e..d243afd 100644 --- a/gitano-admin/rules/defines.lace +++ b/gitano-admin/rules/defines.lace @@ -98,3 +98,5 @@ define target_group_gitano_admin targetgroup gitano-admin define is_lorry user lorry define is_local_ref ref ~^refs/heads/##ESC_PREFIX##/ + +define is_worker group workers diff --git a/gitano-admin/rules/project.lace b/gitano-admin/rules/project.lace index 3144c64..862b8a3 100644 --- a/gitano-admin/rules/project.lace +++ b/gitano-admin/rules/project.lace @@ -11,6 +11,10 @@ # Admins already got allowed, so this is for non-admin users only allow "Owners can always read and write" op_is_basic is_owner repo_is_personal +# Any non-gitano-admin repo is readable to the lorry user and the worker group +allow "Lorry may read" op_read !is_admin_repo is_lorry +allow "Workers may read" op_read !is_admin_repo is_worker + # Force /baserock and /delta to always be anon-readable which means git:// will # work. This is part of the core ruleset for Baserock because /baserock/ and # /delta/ are always open source. diff --git a/gitano-admin/users/lorry/user.conf b/gitano-admin/users/lorry/user.conf new file mode 100644 index 0000000..417950b --- /dev/null +++ b/gitano-admin/users/lorry/user.conf @@ -0,0 +1,2 @@ +email_address "lorry@trove-instance" +real_name "Source Code Lorry Service" |