Move config based auth to own file

It warrants more explanation than is reasonable
in the midst of the rest of the rules,
and allows it to be included in alternative locations
without unnecessary code duplication.

3 files changed, 64 insertions, 5 deletions

diff --git a/skel/gitano-admin/rules/core.lace b/skel/gitano-admin/rules/core.lace
index c315ab2..72f143c 100644
--- a/skel/gitano-admin/rules/core.lace
+++ b/skel/gitano-admin/rules/core.lace
@@ -62,6 +62,11 @@ include global:project
 # Now the project rules themselves
 include main
 
+# Allow looking up whether the user is permitted in repository config.
+# To prevent repositories from overriding project.{readers,writers} behaviour
+# uncomment the code below and comment or remove the code in project.lace
+#include global:simpleprojectauth
+
 # Now, if you want to allow anonymous access if the project doesn't prevent
 # it, then you can uncomment the following:
 # allow "Anonymous access is okay" op_read !is_admin_repo
diff --git a/skel/gitano-admin/rules/project.lace b/skel/gitano-admin/rules/project.lace
index 3bcaf7e..cc67bbf 100644
--- a/skel/gitano-admin/rules/project.lace
+++ b/skel/gitano-admin/rules/project.lace
@@ -28,11 +28,10 @@
 #
 # Core project administration rules
 
-allow "User is project reader" op_read is_project_reader
-
-allow "User is project writer" op_read is_project_writer
-allow "User is project writer" op_write is_project_writer
-allow "User is project writer" op_is_normal is_project_writer
+# Allow looking up whether the user is permitted in repository config.
+# To permit repositories to override project.{readers,writers} behaviour
+# comment out or delete the code below and uncomment the code in core.lace
+include global:simpleprojectauth
 
 # Admins already got allowed, so this is for non-admin users only
 allow "Owners can always read and write" op_is_basic is_owner
diff --git a/skel/gitano-admin/rules/simpleprojectauth.lace b/skel/gitano-admin/rules/simpleprojectauth.lace
new file mode 100644
index 0000000..56e333f
--- /dev/null
+++ b/skel/gitano-admin/rules/simpleprojectauth.lace
@@ -0,0 +1,55 @@
+# This file is part of the standard ruleset from Gitano
+# Copyright 2017 Richard Maw <richard.maw@gmail.com>
+# Copyright 2017 Richard Ipsum <richardipsum@fastmail.co.uk>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 3. Neither the name of the author nor the names of their contributors
+#    may be used to endorse or promote products derived from this software
+#    without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# Simple deferred project authorisation
+#
+# This implements simple project authorisation
+# by whether the user performing the access is listed in the per-repository
+# configuration variables:
+#
+# 1.  project.readers if they are performing a read operation (clone, fetch),
+# 2.  project.writers if they are performing a write operation (push).
+#
+# This is intended as a sane default for sites with small numbers of users
+# and repositories, where it's feasible to authorise each repository by hand.
+#
+# For larger numbers of repositories and users,
+# delegating permission to manage groups to users,
+# and letting users grant access to repositories by group membership is better.
+#
+# It can be enabled before main.lace (inside gitano-admin rules/project.lace)
+# to require all repositories support config variable based authorisation,
+# or after main.lace (inside gitano-admin rules/core.lace)
+# if projects may insist on interpreting the variables differently.
+
+allow "User is project reader" op_read is_project_reader
+
+allow "User is project writer" op_read is_project_writer
+allow "User is project writer" op_write is_project_writer
+allow "User is project writer" op_is_normal is_project_writer