#  _____                   
# |_   _| __ _____   _____ 
#   | || '__/ _ \ \ / / _ \
#   | || | | (_) \ V /  __/
#   |_||_|  \___/ \_/ \___|
#
# Copyright 2012 Codethink Limited
#
# Site administration rules

# You must explicitly allow site administration here for anyone who
# has the rights to do site admin but isn't an administrator.

# trove_site_admin is a predicate which matches members of the trove-admin
# group (The site-wide user/group administration group which is not the full
# administration group)
allow "Trove Site Admins can manage users" trove_site_admin op_user
allow "Trove Site Admins can manage groups other than gitano-admin" trove_site_admin op_group !target_group_gitano_admin

# XXX-managers members are permitted to edit XXX-* groups
define trove_may_admin_target_group group ${targetgroup/prefix}-managers
define target_group_has_hyphen targetgroup ~%-
allow "Trove project managers can manage the groups for their projects" op_group target_group_has_hyphen trove_may_admin_target_group

# Anyone is permitted to look at the people in trove-admin and *-managers
define trove_target_group_is_trove_admin targetgroup trove-admin
define trove_target_group_is_project_managers targetgroup ~^.+-managers$
define trove_show_target_ok anyof trove_target_group_is_trove_admin trove_target_group_is_project_managers
allow "Anyone may see admin groups" op_groupshow trove_show_target_ok

# Otherwise we always deny site administration
deny "You may not perform site administration"