summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--conf/gitolite.conf25
1 files changed, 21 insertions, 4 deletions
diff --git a/conf/gitolite.conf b/conf/gitolite.conf
index 85871eb..6bbe627 100644
--- a/conf/gitolite.conf
+++ b/conf/gitolite.conf
@@ -11,22 +11,39 @@
repo @all
- VREF/gpg-check = @all
-# Gitolite control repository. Sysadmins only.
+# Gitolite control repository. Write restricted to sysadmins, since
+# the VREF above is a form of access control we don't want bypassed,
+# but allow any authorized user to read the config if they like.
repo gitolite-admin
- RW+ = @admins
+ RW+ = @admins
+ R = @all
# Everything but the gitolite-admin repository is currently set up for
# "wild repositories" (http://sitaramc.github.com/gitolite/wild.html).
#
# In theory, this lets authenticated users create their own
# repositories without needing to touch this file.
+#
+# In all of these, we allow read permission to @all, on the theory
+# that it doesn't make much sense to restrict read via SSH while
+# allowing it via plain HTTP. So we have no current use for the
+# READERS role. Add it back if we ever find a use for it.
-# Not sure whether we want "R = @all" (or "R = @core") here or not.
+# Principal of Least Astonishment says that users should create
+# repositories that look like they belong to other users.
+
+repo users?/CREATOR/..*
+ C = @all
+ RW+ = CREATOR
+ RW = WRITERS
+ R = @all
+
+# Other wild repositories. Might consider restricting top-level to
+# enforce a particular hierarchy, ask the users what they want.
repo [a-zA-Z0-9].*
C = @all
RW+ = CREATOR
RW = WRITERS
- R = READERS
R = @all