1 files changed, 21 insertions, 4 deletions

diff --git a/conf/gitolite.conf b/conf/gitolite.conf
index 85871eb..6bbe627 100644
--- a/conf/gitolite.conf
+++ b/conf/gitolite.conf
@@ -11,22 +11,39 @@
 repo @all
   - VREF/gpg-check = @all
 
-# Gitolite control repository.  Sysadmins only.
+# Gitolite control repository.  Write restricted to sysadmins, since
+# the VREF above is a form of access control we don't want bypassed,
+# but allow any authorized user to read the config if they like.
 
 repo gitolite-admin
-    RW+     =   @admins
+    RW+ = @admins
+    R	= @all
 
 # Everything but the gitolite-admin repository is currently set up for
 # "wild repositories" (http://sitaramc.github.com/gitolite/wild.html).
 #
 # In theory, this lets authenticated users create their own
 # repositories without needing to touch this file.
+# 
+# In all of these, we allow read permission to @all, on the theory
+# that it doesn't make much sense to restrict read via SSH while
+# allowing it via plain HTTP.  So we have no current use for the
+# READERS role.  Add it back if we ever find a use for it.
 
-# Not sure whether we want "R = @all" (or "R = @core") here or not.
+# Principal of Least Astonishment says that users should create
+# repositories that look like they belong to other users.
+
+repo users?/CREATOR/..*
+    C   = @all
+    RW+ = CREATOR
+    RW  = WRITERS
+    R   = @all
+
+# Other wild repositories.  Might consider restricting top-level to
+# enforce a particular hierarchy, ask the users what they want.
 
 repo [a-zA-Z0-9].*
     C   = @all
     RW+	= CREATOR
     RW	= WRITERS
-    R	= READERS
     R   = @all