admin-doc: Correct explanation of how simple match operators work

1 files changed, 36 insertions, 13 deletions

diff --git a/doc/admin/000.mdwn b/doc/admin/000.mdwn
index c46ed52..2c3e74b 100644
--- a/doc/admin/000.mdwn
+++ b/doc/admin/000.mdwn
@@ -174,8 +174,8 @@ condition, and either allow or deny access if the condition is true.
 For example, the following two rules will allow access to cats, and
 deny access to dogs:
 
-    define user_is_cat user cat
-    define user_is_dog user dog
+    define user_is_cat user exact cat
+    define user_is_dog user exact dog
     allow "Cats are cool" user_is_cat
     deny "Dogs drool too much" user_is_dog
 
@@ -184,8 +184,8 @@ This is useful for more complicated things. For simpler things, like
 the example above, you could write the condition directly into the
 allow/deny statements:
 
-    allow "Cats are cool" [user cat]
-    deny "Dogs drool too much" [user dog]
+    allow "Cats are cool" [user exact cat]
+    deny "Dogs drool too much" [user exact dog]
 
 What happens if user is neiter cat nor dog? Neither condition will be
 true, and so access is neither allowed nor denied by the above ruleset
@@ -212,15 +212,33 @@ The Lace language consists of the following constructs:
 
 The allow/deny statements look like this:
 
-    allow "Everyone can see who they are" [operation whoami]
-    deny "No more repos" [operation createrepo]
+    allow "Everyone can see who they are" [operation exact whoami]
+    deny "No more repos" [operation exact createrepo]
 
 In other words, the action (`allow` or `deny`), a message shown to the
 user if the action is taken, and a Boolean condition that decides if
 the action should be taken. In the example above, the conditions are
-`operation whoami` and `operation createrepo`. These use the operator
-`operation`, which takes one argument, and evaluates to true if the
-user is trying to do that operation. Operation, operation, operation.
+`operation exact whoami` and `operation exact createrepo`.
+These use the predicate
+`operation`, which takes two arguments:
+
+1.  A string comparison operator
+
+    This can be one of:
+
+    1.  `exact` if the operand must be exactly the same as the value.
+        This makes the most sense for the `operation` operator.
+    2.  `prefix` if the value must begin with the operand.
+    3.  `suffix` if the value must end with the operand.
+        `prefix` is often used for branch namespaces,
+        and may be used for repository namespaces.
+    4.  `pattern` if the value must match a lua string match expression.
+    5.  `pcre` if the value must match a perl-compatible regular expression.
+
+2.  The operand to compare against.
+
+In this case our condition evalueates to true
+if the user is trying to do that operation.
 
 ## Predicates in conditions
 
@@ -259,16 +277,21 @@ Table: Gitano predicates
 
 Predicates can be combined using the operators `anyof` and `allof`:
 
-    allow "Mammals are cool" anyof [user cat] [user dog]
+    allow "Mammals are cool" anyof [user exact cat] [user exact dog]
 
 These operators are followed by a list of conditions, and the result
 is true if any condition, or all conditions, respectively, are true.
 `anyof` is Boolean OR, `allof` is Boolean AND.
 
-The result of a condition may be negated with the boolean NOT
-operation (`!`):
+The result of an `allow`, `deny`, `anyof` or `alloff` condition
+may be negated with the boolean NOT operation (`!`):
+
+    deny "No cats" ![user exact cat]
+
+Predicates may also have the negation of their operation specified,
+so the following is equivalent to the above.
 
-    deny "Only cats" ![user cat]
+    deny "No cats" [user !exact cat]
 
 ## Variables for conditions