From 54e3fbd49d10b70d04e03a646a494ec29a49ffc3 Mon Sep 17 00:00:00 2001 From: Pedro Alvarez Date: Tue, 17 Jun 2014 10:06:13 +0000 Subject: Move gitano skeleton to /usr/share/trove-setup/ --- share/gitano/skel/gitano-admin/rules/project.lace | 38 +++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 share/gitano/skel/gitano-admin/rules/project.lace (limited to 'share/gitano/skel/gitano-admin/rules/project.lace') diff --git a/share/gitano/skel/gitano-admin/rules/project.lace b/share/gitano/skel/gitano-admin/rules/project.lace new file mode 100644 index 0000000..aa5e1e2 --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/project.lace @@ -0,0 +1,38 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Core project administration rules + +# Admins already got allowed, so this is for non-admin users only +allow "Owners can always read and write" op_is_basic is_owner repo_is_personal + +# Any non-gitano-admin repo is readable to the lorry user and the worker group +allow "Lorry may read" op_read is_lorry lorryable_repo +allow "Workers may read" op_read !is_admin_repo is_worker + +# Force /baserock and /delta to always be anon-readable which means git:// will +# work. This is part of the core ruleset for Baserock because /baserock/ and +# /delta/ are always open source. +define is_baserock_repo repository ~^baserock/ +define is_delta_repo repository ~^delta/ +define is_opensource_repo anyof is_baserock_repo is_delta_repo + +allow "Anonymous access always allowed" op_read !is_admin_repo is_opensource_repo + +# Project remote-configuration rules (set-head etc) +include global:remoteconfigchecks op_is_config + +# Okay, if we're altering the admin ref, in we go +include global:adminchecks is_admin_ref + +# Now we're into branch operations. +# Owners of personal repositories can do any reffy operation +allow "Owners can create refs" op_is_reffy is_owner repo_is_personal + +include global:trove-project repo_is_local_project +include global:other-project lorryable_repo -- cgit v1.2.1