1 files changed, 38 insertions, 0 deletions

diff --git a/share/gitano/skel/gitano-admin/rules/project.lace b/share/gitano/skel/gitano-admin/rules/project.lace
new file mode 100644
index 0000000..aa5e1e2
--- /dev/null
+++ b/share/gitano/skel/gitano-admin/rules/project.lace
@@ -0,0 +1,38 @@
+#  _____                   
+# |_   _| __ _____   _____ 
+#   | || '__/ _ \ \ / / _ \
+#   | || | | (_) \ V /  __/
+#   |_||_|  \___/ \_/ \___|
+#
+# Copyright 2012 Codethink Limited
+#
+# Core project administration rules
+
+# Admins already got allowed, so this is for non-admin users only
+allow "Owners can always read and write" op_is_basic is_owner repo_is_personal
+
+# Any non-gitano-admin repo is readable to the lorry user and the worker group
+allow "Lorry may read" op_read is_lorry lorryable_repo
+allow "Workers may read" op_read !is_admin_repo is_worker
+
+# Force /baserock and /delta to always be anon-readable which means git:// will
+# work.  This is part of the core ruleset for Baserock because /baserock/ and
+# /delta/ are always open source.
+define is_baserock_repo repository ~^baserock/
+define is_delta_repo repository ~^delta/
+define is_opensource_repo anyof is_baserock_repo is_delta_repo
+
+allow "Anonymous access always allowed" op_read !is_admin_repo is_opensource_repo
+
+# Project remote-configuration rules (set-head etc)
+include global:remoteconfigchecks op_is_config
+
+# Okay, if we're altering the admin ref, in we go
+include global:adminchecks is_admin_ref
+
+# Now we're into branch operations.
+# Owners of personal repositories can do any reffy operation
+allow "Owners can create refs" op_is_reffy is_owner repo_is_personal
+
+include global:trove-project repo_is_local_project
+include global:other-project lorryable_repo