1 files changed, 47 insertions, 0 deletions

diff --git a/share/gitano/skel/gitano-admin/rules/core.lace b/share/gitano/skel/gitano-admin/rules/core.lace
new file mode 100644
index 0000000..dab7cfb
--- /dev/null
+++ b/share/gitano/skel/gitano-admin/rules/core.lace
@@ -0,0 +1,47 @@
+#  _____                   
+# |_   _| __ _____   _____ 
+#   | || '__/ _ \ \ / / _ \
+#   | || | | (_) \ V /  __/
+#   |_||_|  \___/ \_/ \___|
+#
+# Copyright 2012 Codethink Limited
+#
+# Core ruleset definitions for Trove.
+
+default deny "Trove ruleset failed to define result.  Access denied."
+
+include global:defines
+
+# The users in the administration group (gitano-admin) may do anything
+# they choose (providing they're not being impersonated).  By default
+# Only the user created as part of trove-setup has this level of access.
+allow "Administrators can do anything" is_admin !if_asanother
+
+# Now let's decide if we can use 'as'
+include global:aschecks if_asanother
+
+# Operations which are against 'self' get checked next
+include global:selfchecks
+
+# Administration operations (users, groups) next
+include global:siteadmin op_is_admin
+
+# Site-defined rules for repository creation
+include global:createrepo op_createrepo
+
+# Site-defined rules for repository renaming
+include global:renamerepo op_renamerepo
+
+# Site-defined rules for repository destruction
+include global:destroyrepo op_destroyrepo
+
+# Site-defined rules for project repositories, including admin of them
+include global:project
+
+# Now the project rules themselves
+include main
+
+# If you're running your access control somewhat more openly than most, You can
+# now uncomment the following and allow git:// access to *everything* which is
+# not the admin repository
+# allow "Anonymous access is okay" op_read !is_admin_repo