summaryrefslogtreecommitdiff
path: root/example
diff options
context:
space:
mode:
Diffstat (limited to 'example')
-rw-r--r--example/gitano-admin/rules/core.lace3
-rw-r--r--example/gitano-admin/rules/defines.lace24
-rw-r--r--example/gitano-admin/rules/siteadmin.lace7
3 files changed, 34 insertions, 0 deletions
diff --git a/example/gitano-admin/rules/core.lace b/example/gitano-admin/rules/core.lace
index 6d3857b..5cdb388 100644
--- a/example/gitano-admin/rules/core.lace
+++ b/example/gitano-admin/rules/core.lace
@@ -13,6 +13,9 @@ include global:aschecks if_asanother
# Operations which are against 'self' get checked next
include global:selfchecks
+# Administration operations (users, groups) next
+include global:siteadmin op_is_admin
+
# Owners of repositories are allowed to hand it over
allow "Owners can hand over repositories" is_owner op_setowner
diff --git a/example/gitano-admin/rules/defines.lace b/example/gitano-admin/rules/defines.lace
index 9c8324f..6f100ae 100644
--- a/example/gitano-admin/rules/defines.lace
+++ b/example/gitano-admin/rules/defines.lace
@@ -10,6 +10,30 @@ define if_asanother as_user ~.
define op_whoami operation whoami
define op_sshkey operation sshkey
+# Admin-related operations
+
+## Users
+define op_useradd operation useradd
+define op_userdel operation userdel
+define op_userlist operation userlist
+define op_useremail operation useremail
+define op_username operation username
+define op_user anyof op_userlist op_useradd op_userdel op_useremail op_username
+
+## Groups
+define op_grouplist operation grouplist
+define op_groupadd operation groupadd
+define op_groupdel operation groupdel
+define op_groupadduser operation groupadduser
+define op_groupdeluser operation groupdeluser
+define op_groupaddgroup operation groupaddgroup
+define op_groupdelgroup operation groupdelgroup
+define op_groupdescription operation groupdescription
+define op_group anyof op_grouplist op_groupadd op_groupdel op_groupadduser op_groupdeluser op_groupaddgroup op_groupdelgroup op_groupdescription
+
+## Aggregation of admin ops
+define op_is_admin anyof op_user op_group
+
# Primary repository-related operations
define op_read operation read
define op_write operation write
diff --git a/example/gitano-admin/rules/siteadmin.lace b/example/gitano-admin/rules/siteadmin.lace
new file mode 100644
index 0000000..bf72bb2
--- /dev/null
+++ b/example/gitano-admin/rules/siteadmin.lace
@@ -0,0 +1,7 @@
+# Site administration rules
+
+# You must explicitly allow site administration here for anyone who
+# has the rights to do site admin but isn't a member of gitano-admin.
+
+# Otherwise we always deny site administration
+deny "You may not perform site administration"
View Lorry Controller Status