#  _____                   
# |_   _| __ _____   _____ 
#   | || '__/ _ \ \ / / _ \
#   | || | | (_) \ V /  __/
#   |_||_|  \___/ \_/ \___|
#
# Copyright 2012 Codethink Limited
#
# Core project administration rules

# Admins already got allowed, so this is for non-admin users only
allow "Owners can always read and write" op_is_basic is_owner repo_is_personal

# Any non-gitano-admin repo is readable to the lorry user and the worker group
allow "Lorry may read" op_read is_lorry lorryable_repo
allow "Workers may read" op_read !is_admin_repo is_worker

# Force /baserock and /delta to always be anon-readable which means git:// will
# work.  This is part of the core ruleset for Baserock because /baserock/ and
# /delta/ are always open source.
define is_baserock_repo repository ~^baserock/
define is_delta_repo repository ~^delta/
define is_opensource_repo anyof is_baserock_repo is_delta_repo

allow "Anonymous access always allowed" op_read !is_admin_repo is_opensource_repo

# Project remote-configuration rules (set-head etc)
include global:remoteconfigchecks op_is_config

# Okay, if we're altering the admin ref, in we go
include global:adminchecks is_admin_ref

# Now we're into branch operations.
# Owners of personal repositories can do any reffy operation
allow "Owners can create refs" op_is_reffy is_owner repo_is_personal

include global:trove-project repo_is_local_project
include global:other-project lorryable_repo