#  _____                   
# |_   _| __ _____   _____ 
#   | || '__/ _ \ \ / / _ \
#   | || | | (_) \ V /  __/
#   |_||_|  \___/ \_/ \___|
#
# Copyright 2012 Codethink Limited
#
# Core ruleset definitions for Trove.

default deny "Trove ruleset failed to define result.  Access denied."

include global:defines

# The users in the administration group (gitano-admin) may do anything
# they choose (providing they're not being impersonated).  By default
# Only the user created as part of trove-setup has this level of access.
allow "Administrators can do anything" is_admin !if_asanother

# Now let's decide if we can use 'as'
include global:aschecks if_asanother

# Operations which are against 'self' get checked next
include global:selfchecks

# Administration operations (users, groups) next
include global:siteadmin op_is_admin

# Site-defined rules for repository creation
include global:createrepo op_createrepo

# Site-defined rules for repository renaming
include global:renamerepo op_renamerepo

# Site-defined rules for repository destruction
include global:destroyrepo op_destroyrepo

# Site-defined rules for project repositories, including admin of them
include global:project

# Now the project rules themselves
include main

# If you're running your access control somewhat more openly than most, You can
# now uncomment the following and allow git:// access to *everything* which is
# not the admin repository
# allow "Anonymous access is okay" op_read !is_admin_repo