diff options
author | Richard Maw <richard.maw@gmail.com> | 2016-12-03 15:05:25 +0000 |
---|---|---|
committer | Richard Maw <richard.maw@gmail.com> | 2016-12-03 15:21:55 +0000 |
commit | 6003734d6ea3b900d0c35f0a5262da5c37476c4a (patch) | |
tree | 532d5549ae6df4aa05f3c9d9cb81b2797ffc71db /skel/gitano-admin | |
parent | a6dbfbcae45f653aa24a3702120289381b77d804 (diff) | |
download | gitano-6003734d6ea3b900d0c35f0a5262da5c37476c4a.tar.gz |
rules-skeleton: Allow forcing personal-repo read
There was previously support to allow personal repository creation,
but whether you could access those repositories was still limited to ownership.
This allows you to expand rules so that even if a repository
was owned by someone else you could still read it if it's in your prefix.
In most circumstances this should not matter,
but it can cause confusing error messages
if you are told you are denied read access to a repository in your prefix
if it instead doesn't exist, since the ownership test requires it to exist.
We can't instead report that the repository doesn't exist before checking owner
since that would leak that a repository you don't have access to exists.
Diffstat (limited to 'skel/gitano-admin')
-rw-r--r-- | skel/gitano-admin/rules/createrepo.lace | 2 | ||||
-rw-r--r-- | skel/gitano-admin/rules/defines.lace | 2 | ||||
-rw-r--r-- | skel/gitano-admin/rules/project.lace | 3 |
3 files changed, 5 insertions, 2 deletions
diff --git a/skel/gitano-admin/rules/createrepo.lace b/skel/gitano-admin/rules/createrepo.lace index 6807726..7f31d13 100644 --- a/skel/gitano-admin/rules/createrepo.lace +++ b/skel/gitano-admin/rules/createrepo.lace @@ -4,8 +4,6 @@ # so this is for non-admins. # Uncomment the following to allow repositories in personal/username/ - -# define repo_is_personal repository prefix personal/${user}/ # allow "Personal repo creation is okay" repo_is_personal # Otherwise the default is that non-admins can't create repositories diff --git a/skel/gitano-admin/rules/defines.lace b/skel/gitano-admin/rules/defines.lace index 4e3bb6d..112b442 100644 --- a/skel/gitano-admin/rules/defines.lace +++ b/skel/gitano-admin/rules/defines.lace @@ -4,6 +4,8 @@ define is_admin group exact gitano-admin define is_owner config/project/owner exact ${user} +define repo_is_personal repository prefix personal/${user}/ + define if_asanother as_user pattern . # Self-related operations diff --git a/skel/gitano-admin/rules/project.lace b/skel/gitano-admin/rules/project.lace index 26729d6..9d1dc95 100644 --- a/skel/gitano-admin/rules/project.lace +++ b/skel/gitano-admin/rules/project.lace @@ -3,6 +3,9 @@ # Admins already got allowed, so this is for non-admin users only allow "Owners can always read and write" op_is_basic is_owner +# Uncomment to force read access to repositories in personal/username/ +# allow "Prefix owners can always read and write" repo_is_personal + # Uncomment if you want to *force* anonymous access to all but gitano-admin # allow "Anonymous access always allowed" op_read !is_admin_repo |