<!-- -*- markdown -*- -->

Looking after the dead
======================

Earlier we talked about how `destroy` allows the owner of a repository (or
someone with delegated access) to remove a repository from a Gitano server.  At
the time we said this was a two-part process and `graveyard` is the other half
of the story.

When repositories are destroyed they are not removed from the filesystem.
Instead they go to live in a special directory called the graveyard, which is
separate from the repository root.  Only the `graveyard` command can interact
with these destroyed repositories.

    EXAMPLE Sometimes, even git servers die.
          _.---,._,'
         /' _.--.<
           /'     `'
         /' _.---._____
         \.'   ___, .-'`
             /'    \\             .
           /'       `-.          -|-
          |                       |
          |                   .-'~~~`-.
          |                 .'         `.
          |                 |  R  I  P  |
    jgs   |                 |           |
          |                 | Gitorious |
           \              \\| 2008-2016 |//
     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

When a user owns a repository, they are permitted to destroy it, they will no
longer be able to see if in the output of the `ls` command and unless the
administrator of the Gitano instance has done some ACL trickery, they will not
be able to then look into the graveyard to see it.

    SCENARIO graveyard

    GIVEN a standard instance
      AND testinstance using adminkey has patched gitano-admin with personal-repo-create.patch
      AND testinstance, using adminkey, adds a new user alice, with a key called main
     WHEN alice main runs create personal/alice/testrepo
      AND alice main runs ls
     THEN stdout contains personal/alice/testrepo
     WHEN alice main runs destroy personal/alice/testrepo --force
      AND alice main runs ls
     THEN stdout does not contain personal/alice/testrepo

When a repository is deleted it is put in the graveyard.
By default normal users are not allowed to look at the graveyard...

    WHEN alice main, expecting failure, runs graveyard list
    THEN stderr contains CRIT: You may not perform site administration

...and only admin users may browse the graveyard and restore repositories.

    WHEN testinstance adminkey runs graveyard list
    THEN stdout contains personal.alice.testrepo.*\.destroyed

When a repository is restored it is owned by the original owner.

    WHEN testinstance adminkey restores the latest deletion to personal/alice/testrepo
     AND testinstance adminkey runs config personal/alice/testrepo show project.owner
    THEN stdout contains project\.owner: alice

It is thus fully usable by the user who deleted it.

    WHEN alice main runs ls
    THEN stdout contains personal/alice/testrepo
    WHEN alice main runs config personal/alice/testrepo show project.owner
    THEN stdout contains project\.owner: alice

Disk space is finite, so when a repository is no longer wanted
then it has to be purged from the graveyard as well.

    WHEN alice main runs destroy personal/alice/testrepo --force
    WHEN testinstance adminkey purges the latest deletion
     AND testinstance adminkey runs graveyard list
    THEN stdout does not contain personal.alice.testrepo

    FINALLY the instance is torn down