From d83ffbf8aa6fa7cb3a8c50b03b77d0c09a88ed04 Mon Sep 17 00:00:00 2001 From: Sam Thursfield Date: Fri, 5 Jun 2015 15:32:57 +0100 Subject: Allow tags to be pushed to the trove's own namespace in mirrored repos Previously, when Trove mirrored an upstream repo, it would allow users to push branches as long as they started with the trove-id. The intention is to keep local changes in a separate namespace that can co-exist with whatever branches the upstream repo has. This patch extends this to tags, so that users can push tags to refs/tags/{{ trove-id}}/whatever. This is necessary for the `morph anchor` command to work as expected when the 'ref' fields of some definitions point to tag objects. Git itself prevents pushing tags to 'refs/heads/...' so `morph anchor` must be configured to push them to 'refs/tags/...'. Without this patch, Gitano will prevent that as well, but with this patch, `morph anchor` should be usable. Repos in the Trove's own prefix (such as the baserock/ repos on git.baserock.org, or the foo-trove/ repos on a Trove with trove ID 'foo-trove') are the only ones not considered to be mirrors, and users can already push branches and tags wherever they want to in these repos. Change-Id: I06496ea6c5c57d3fae7e5750cf51e31bbd16d8d2 --- share/gitano/skel/gitano-admin/rules/defines.lace | 3 ++- share/gitano/skel/gitano-admin/rules/other-project.lace | 5 +++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/share/gitano/skel/gitano-admin/rules/defines.lace b/share/gitano/skel/gitano-admin/rules/defines.lace index 466ac6f..16b6d96 100644 --- a/share/gitano/skel/gitano-admin/rules/defines.lace +++ b/share/gitano/skel/gitano-admin/rules/defines.lace @@ -100,7 +100,8 @@ define trove_site_admin group trove-admin define target_group_gitano_admin targetgroup gitano-admin define is_lorry user lorry -define is_local_ref ref ~^refs/heads/{{ ESC_PREFIX }}/ +define is_local_branch ref ~^refs/heads/{{ ESC_PREFIX }}/ +define is_local_tag ref ~^refs/tags/{{ ESC_PREFIX }}/ define lorryable_repo allof !repo_is_local_project !repo_is_personal !is_admin_repo define is_worker group workers diff --git a/share/gitano/skel/gitano-admin/rules/other-project.lace b/share/gitano/skel/gitano-admin/rules/other-project.lace index e5f05be..346718e 100644 --- a/share/gitano/skel/gitano-admin/rules/other-project.lace +++ b/share/gitano/skel/gitano-admin/rules/other-project.lace @@ -15,11 +15,12 @@ allow "Anyone may read here" op_read allow "Anyone may write here" op_write !is_anonymous # Lorry can do anything reffy which is not inside the local refs -allow "Lorry may touch everything but refs/heads/{{ TROVE_ID }}" op_is_reffy is_lorry !is_local_ref +allow "Lorry may touch everything but refs/heads/{{ TROVE_ID }} or refs/tags/{{ TROVE_ID }}" op_is_reffy is_lorry !is_local_branch !is_local_tag # Noone can rewind/rebase outside of their personal refs deny "Non-personal branches may not be rewound/rebased" op_forcedupdate !is_lorry !ref_is_personal # Everyone else can do reffy things inside refs/heads/{{ TROVE_ID }} -allow "Project writers may alter any refs" op_is_reffy !is_lorry is_local_ref +allow "Project writers may alter any branches in the {{ TROVE_ID }} namespace" op_is_reffy !is_lorry is_local_branch +allow "Project writers may alter any tags in the {{ TROVE_ID }} namespace" op_is_reffy !is_lorry is_local_tag -- cgit v1.2.1