From 54e3fbd49d10b70d04e03a646a494ec29a49ffc3 Mon Sep 17 00:00:00 2001 From: Pedro Alvarez Date: Tue, 17 Jun 2014 10:06:13 +0000 Subject: Move gitano skeleton to /usr/share/trove-setup/ --- .../gitano/skel/gitano-admin/rules/siteadmin.lace | 32 ++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 share/gitano/skel/gitano-admin/rules/siteadmin.lace (limited to 'share/gitano/skel/gitano-admin/rules/siteadmin.lace') diff --git a/share/gitano/skel/gitano-admin/rules/siteadmin.lace b/share/gitano/skel/gitano-admin/rules/siteadmin.lace new file mode 100644 index 0000000..06c71bb --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/siteadmin.lace @@ -0,0 +1,32 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Site administration rules + +# You must explicitly allow site administration here for anyone who +# has the rights to do site admin but isn't an administrator. + +# trove_site_admin is a predicate which matches members of the trove-admin +# group (The site-wide user/group administration group which is not the full +# administration group) +allow "Trove Site Admins can manage users" trove_site_admin op_user +allow "Trove Site Admins can manage groups other than gitano-admin" trove_site_admin op_group !target_group_gitano_admin + +# XXX-managers members are permitted to edit XXX-* groups +define trove_may_admin_target_group group ${targetgroup/prefix}-managers +define target_group_has_hyphen targetgroup ~%- +allow "Trove project managers can manage the groups for their projects" op_group target_group_has_hyphen trove_may_admin_target_group + +# Anyone is permitted to look at the people in trove-admin and *-managers +define trove_target_group_is_trove_admin targetgroup trove-admin +define trove_target_group_is_project_managers targetgroup ~^.+-managers$ +define trove_show_target_ok anyof trove_target_group_is_trove_admin trove_target_group_is_project_managers +allow "Anyone may see admin groups" op_groupshow trove_show_target_ok + +# Otherwise we always deny site administration +deny "You may not perform site administration" -- cgit v1.2.1