From 54e3fbd49d10b70d04e03a646a494ec29a49ffc3 Mon Sep 17 00:00:00 2001 From: Pedro Alvarez Date: Tue, 17 Jun 2014 10:06:13 +0000 Subject: Move gitano skeleton to /usr/share/trove-setup/ --- share/gitano/skel/gitano-admin/rules/core.lace | 47 ++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 share/gitano/skel/gitano-admin/rules/core.lace (limited to 'share/gitano/skel/gitano-admin/rules/core.lace') diff --git a/share/gitano/skel/gitano-admin/rules/core.lace b/share/gitano/skel/gitano-admin/rules/core.lace new file mode 100644 index 0000000..dab7cfb --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/core.lace @@ -0,0 +1,47 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Core ruleset definitions for Trove. + +default deny "Trove ruleset failed to define result. Access denied." + +include global:defines + +# The users in the administration group (gitano-admin) may do anything +# they choose (providing they're not being impersonated). By default +# Only the user created as part of trove-setup has this level of access. +allow "Administrators can do anything" is_admin !if_asanother + +# Now let's decide if we can use 'as' +include global:aschecks if_asanother + +# Operations which are against 'self' get checked next +include global:selfchecks + +# Administration operations (users, groups) next +include global:siteadmin op_is_admin + +# Site-defined rules for repository creation +include global:createrepo op_createrepo + +# Site-defined rules for repository renaming +include global:renamerepo op_renamerepo + +# Site-defined rules for repository destruction +include global:destroyrepo op_destroyrepo + +# Site-defined rules for project repositories, including admin of them +include global:project + +# Now the project rules themselves +include main + +# If you're running your access control somewhat more openly than most, You can +# now uncomment the following and allow git:// access to *everything* which is +# not the admin repository +# allow "Anonymous access is okay" op_read !is_admin_repo -- cgit v1.2.1