# This file is part of the standard ruleset from Gitano # Copyright 2012-2017 Daniel Silverstone # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # 3. Neither the name of the author nor the names of their contributors # may be used to endorse or promote products derived from this software # without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # Ruleset processing begins here. Please read the administrator manual # and/or the Gitano Wiki to understand the ruleset. # Prepare the initial definitions default deny "The ruleset didn't provide access. Denying by default." include global:defines # Now, if we're in the admin group, we can always do stuff allow "Administrators can do anything" is_admin !if_asanother # Now let's decide if we can use 'as' include global:aschecks if_asanother # Operations which are against 'self' get checked next include global:selfchecks # Administration operations (users, groups) next include global:siteadmin op_is_admin # Site-defined rules for repository creation include global:createrepo op_createrepo # Site-defined rules for repository renaming include global:renamerepo op_renamerepo # Site-defined rules for repository destruction include global:destroyrepo op_destroyrepo # Site-defined rules for project repositories, including admin of them include global:project # Now the project rules themselves include main # Allow looking up whether the user is permitted in repository config. # To prevent repositories from overriding project.{readers,writers} behaviour # uncomment the code below and comment or remove the code in project.lace #include global:simpleprojectauth # Now, if you want to allow anonymous access if the project doesn't prevent # it, then you can uncomment the following: # allow "Anonymous access is okay" op_read !is_admin_repo