blob: 06c71bb90faf274669be18b1e20fb31703bcd623 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
# _____
# |_ _| __ _____ _____
# | || '__/ _ \ \ / / _ \
# | || | | (_) \ V / __/
# |_||_| \___/ \_/ \___|
#
# Copyright 2012 Codethink Limited
#
# Site administration rules
# You must explicitly allow site administration here for anyone who
# has the rights to do site admin but isn't an administrator.
# trove_site_admin is a predicate which matches members of the trove-admin
# group (The site-wide user/group administration group which is not the full
# administration group)
allow "Trove Site Admins can manage users" trove_site_admin op_user
allow "Trove Site Admins can manage groups other than gitano-admin" trove_site_admin op_group !target_group_gitano_admin
# XXX-managers members are permitted to edit XXX-* groups
define trove_may_admin_target_group group ${targetgroup/prefix}-managers
define target_group_has_hyphen targetgroup ~%-
allow "Trove project managers can manage the groups for their projects" op_group target_group_has_hyphen trove_may_admin_target_group
# Anyone is permitted to look at the people in trove-admin and *-managers
define trove_target_group_is_trove_admin targetgroup trove-admin
define trove_target_group_is_project_managers targetgroup ~^.+-managers$
define trove_show_target_ok anyof trove_target_group_is_trove_admin trove_target_group_is_project_managers
allow "Anyone may see admin groups" op_groupshow trove_show_target_ok
# Otherwise we always deny site administration
deny "You may not perform site administration"
|