diff options
Diffstat (limited to 'share')
-rw-r--r-- | share/gitano/skel/gitano-admin/rules/defines.lace | 3 | ||||
-rw-r--r-- | share/gitano/skel/gitano-admin/rules/other-project.lace | 5 |
2 files changed, 5 insertions, 3 deletions
diff --git a/share/gitano/skel/gitano-admin/rules/defines.lace b/share/gitano/skel/gitano-admin/rules/defines.lace index 466ac6f..16b6d96 100644 --- a/share/gitano/skel/gitano-admin/rules/defines.lace +++ b/share/gitano/skel/gitano-admin/rules/defines.lace @@ -100,7 +100,8 @@ define trove_site_admin group trove-admin define target_group_gitano_admin targetgroup gitano-admin define is_lorry user lorry -define is_local_ref ref ~^refs/heads/{{ ESC_PREFIX }}/ +define is_local_branch ref ~^refs/heads/{{ ESC_PREFIX }}/ +define is_local_tag ref ~^refs/tags/{{ ESC_PREFIX }}/ define lorryable_repo allof !repo_is_local_project !repo_is_personal !is_admin_repo define is_worker group workers diff --git a/share/gitano/skel/gitano-admin/rules/other-project.lace b/share/gitano/skel/gitano-admin/rules/other-project.lace index e5f05be..346718e 100644 --- a/share/gitano/skel/gitano-admin/rules/other-project.lace +++ b/share/gitano/skel/gitano-admin/rules/other-project.lace @@ -15,11 +15,12 @@ allow "Anyone may read here" op_read allow "Anyone may write here" op_write !is_anonymous # Lorry can do anything reffy which is not inside the local refs -allow "Lorry may touch everything but refs/heads/{{ TROVE_ID }}" op_is_reffy is_lorry !is_local_ref +allow "Lorry may touch everything but refs/heads/{{ TROVE_ID }} or refs/tags/{{ TROVE_ID }}" op_is_reffy is_lorry !is_local_branch !is_local_tag # Noone can rewind/rebase outside of their personal refs deny "Non-personal branches may not be rewound/rebased" op_forcedupdate !is_lorry !ref_is_personal # Everyone else can do reffy things inside refs/heads/{{ TROVE_ID }} -allow "Project writers may alter any refs" op_is_reffy !is_lorry is_local_ref +allow "Project writers may alter any branches in the {{ TROVE_ID }} namespace" op_is_reffy !is_lorry is_local_branch +allow "Project writers may alter any tags in the {{ TROVE_ID }} namespace" op_is_reffy !is_lorry is_local_tag |