blob: aa5e1e25b042a9f8d836062b57eb74e59795b0cc (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
# _____
# |_ _| __ _____ _____
# | || '__/ _ \ \ / / _ \
# | || | | (_) \ V / __/
# |_||_| \___/ \_/ \___|
#
# Copyright 2012 Codethink Limited
#
# Core project administration rules
# Admins already got allowed, so this is for non-admin users only
allow "Owners can always read and write" op_is_basic is_owner repo_is_personal
# Any non-gitano-admin repo is readable to the lorry user and the worker group
allow "Lorry may read" op_read is_lorry lorryable_repo
allow "Workers may read" op_read !is_admin_repo is_worker
# Force /baserock and /delta to always be anon-readable which means git:// will
# work. This is part of the core ruleset for Baserock because /baserock/ and
# /delta/ are always open source.
define is_baserock_repo repository ~^baserock/
define is_delta_repo repository ~^delta/
define is_opensource_repo anyof is_baserock_repo is_delta_repo
allow "Anonymous access always allowed" op_read !is_admin_repo is_opensource_repo
# Project remote-configuration rules (set-head etc)
include global:remoteconfigchecks op_is_config
# Okay, if we're altering the admin ref, in we go
include global:adminchecks is_admin_ref
# Now we're into branch operations.
# Owners of personal repositories can do any reffy operation
allow "Owners can create refs" op_is_reffy is_owner repo_is_personal
include global:trove-project repo_is_local_project
include global:other-project lorryable_repo
|