diff options
-rw-r--r-- | example/gitano-admin/rules/core.lace | 3 | ||||
-rw-r--r-- | example/gitano-admin/rules/defines.lace | 24 | ||||
-rw-r--r-- | example/gitano-admin/rules/siteadmin.lace | 7 |
3 files changed, 34 insertions, 0 deletions
diff --git a/example/gitano-admin/rules/core.lace b/example/gitano-admin/rules/core.lace index 6d3857b..5cdb388 100644 --- a/example/gitano-admin/rules/core.lace +++ b/example/gitano-admin/rules/core.lace @@ -13,6 +13,9 @@ include global:aschecks if_asanother # Operations which are against 'self' get checked next include global:selfchecks +# Administration operations (users, groups) next +include global:siteadmin op_is_admin + # Owners of repositories are allowed to hand it over allow "Owners can hand over repositories" is_owner op_setowner diff --git a/example/gitano-admin/rules/defines.lace b/example/gitano-admin/rules/defines.lace index 9c8324f..6f100ae 100644 --- a/example/gitano-admin/rules/defines.lace +++ b/example/gitano-admin/rules/defines.lace @@ -10,6 +10,30 @@ define if_asanother as_user ~. define op_whoami operation whoami define op_sshkey operation sshkey +# Admin-related operations + +## Users +define op_useradd operation useradd +define op_userdel operation userdel +define op_userlist operation userlist +define op_useremail operation useremail +define op_username operation username +define op_user anyof op_userlist op_useradd op_userdel op_useremail op_username + +## Groups +define op_grouplist operation grouplist +define op_groupadd operation groupadd +define op_groupdel operation groupdel +define op_groupadduser operation groupadduser +define op_groupdeluser operation groupdeluser +define op_groupaddgroup operation groupaddgroup +define op_groupdelgroup operation groupdelgroup +define op_groupdescription operation groupdescription +define op_group anyof op_grouplist op_groupadd op_groupdel op_groupadduser op_groupdeluser op_groupaddgroup op_groupdelgroup op_groupdescription + +## Aggregation of admin ops +define op_is_admin anyof op_user op_group + # Primary repository-related operations define op_read operation read define op_write operation write diff --git a/example/gitano-admin/rules/siteadmin.lace b/example/gitano-admin/rules/siteadmin.lace new file mode 100644 index 0000000..bf72bb2 --- /dev/null +++ b/example/gitano-admin/rules/siteadmin.lace @@ -0,0 +1,7 @@ +# Site administration rules + +# You must explicitly allow site administration here for anyone who +# has the rights to do site admin but isn't a member of gitano-admin. + +# Otherwise we always deny site administration +deny "You may not perform site administration" |