From e50462ad917677a4c867abd4c1ae5024c7ad5241 Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Thu, 6 Nov 2014 17:13:35 -0500 Subject: Add rule for user/foo tree. Allow read-only access to this repository by other authorized users. --- conf/gitolite.conf | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/conf/gitolite.conf b/conf/gitolite.conf index 85871eb..6bbe627 100644 --- a/conf/gitolite.conf +++ b/conf/gitolite.conf @@ -11,22 +11,39 @@ repo @all - VREF/gpg-check = @all -# Gitolite control repository. Sysadmins only. +# Gitolite control repository. Write restricted to sysadmins, since +# the VREF above is a form of access control we don't want bypassed, +# but allow any authorized user to read the config if they like. repo gitolite-admin - RW+ = @admins + RW+ = @admins + R = @all # Everything but the gitolite-admin repository is currently set up for # "wild repositories" (http://sitaramc.github.com/gitolite/wild.html). # # In theory, this lets authenticated users create their own # repositories without needing to touch this file. +# +# In all of these, we allow read permission to @all, on the theory +# that it doesn't make much sense to restrict read via SSH while +# allowing it via plain HTTP. So we have no current use for the +# READERS role. Add it back if we ever find a use for it. -# Not sure whether we want "R = @all" (or "R = @core") here or not. +# Principal of Least Astonishment says that users should create +# repositories that look like they belong to other users. + +repo users?/CREATOR/..* + C = @all + RW+ = CREATOR + RW = WRITERS + R = @all + +# Other wild repositories. Might consider restricting top-level to +# enforce a particular hierarchy, ask the users what they want. repo [a-zA-Z0-9].* C = @all RW+ = CREATOR RW = WRITERS - R = READERS R = @all -- cgit v1.2.3