diff options
author | Daniel Silverstone <daniel.silverstone@codethink.co.uk> | 2013-05-17 15:27:14 +0100 |
---|---|---|
committer | Daniel Silverstone <daniel.silverstone@codethink.co.uk> | 2013-05-17 15:27:14 +0100 |
commit | 4f6fbbb22d6f769694250b904985c6196067d7de (patch) | |
tree | d0498fbc392dd0a5b953b2e53e11f541bec9e014 /gitano-admin | |
parent | a2c5cf39071b52b78dc50879f941f25470c32337 (diff) | |
download | trove-setup-4f6fbbb22d6f769694250b904985c6196067d7de.tar.gz |
Add rules to deny forced updates to refs which are not under
TROVE_ID/${user}/...
This reduces the chances of accidental force-pushes to branches
if you are using an old version of git or have misconfigured it.
Reviewed-By: Richard Maw <richard.maw@codethink.co.uk>
Diffstat (limited to 'gitano-admin')
-rw-r--r-- | gitano-admin/rules/defines.lace | 3 | ||||
-rw-r--r-- | gitano-admin/rules/other-project.lace | 5 | ||||
-rw-r--r-- | gitano-admin/rules/trove-project.lace | 3 |
3 files changed, 8 insertions, 3 deletions
diff --git a/gitano-admin/rules/defines.lace b/gitano-admin/rules/defines.lace index d24b858..ab49034 100644 --- a/gitano-admin/rules/defines.lace +++ b/gitano-admin/rules/defines.lace @@ -4,7 +4,7 @@ # | || | | (_) \ V / __/ # |_||_| \___/ \_/ \___| # -# Copyright 2012 Codethink Limited +# Copyright 2012,2013 Codethink Limited # # Core definitions for access control @@ -82,6 +82,7 @@ define is_admin_ref ref refs/gitano/admin # define repo_is_personal repository ~^##ESC_PERSONAL_PREFIX##/${user}/ +define ref_is_personal ref ~^refs/heads/##ESC_PREFIX##/${user}/ define repo_is_local_project repository ~^##ESC_PREFIX##/[^/]+/ define project_reader group ${repository/2}-readers diff --git a/gitano-admin/rules/other-project.lace b/gitano-admin/rules/other-project.lace index ad88098..a42c06a 100644 --- a/gitano-admin/rules/other-project.lace +++ b/gitano-admin/rules/other-project.lace @@ -4,7 +4,7 @@ # | || | | (_) \ V / __/ # |_||_| \___/ \_/ \___| # -# Copyright 2012 Codethink Limited +# Copyright 2012,2013 Codethink Limited # # Rules for any repository not under ##PREFIX## @@ -17,6 +17,9 @@ allow "Anyone may write here" op_write # Lorry can do anything reffy which is not inside the local refs allow "Lorry may touch everything but refs/heads/##PREFIX##" op_is_reffy is_lorry !is_local_ref +# Noone can rewind/rebase outside of their personal refs +deny "Non-personal branches may not be rewound/rebased" op_forcedupdate !is_lorry !ref_is_personal + # Everyone else can do reffy things inside refs/heads/##PREFIX## allow "Project writers may alter any refs" op_is_reffy !is_lorry is_local_ref diff --git a/gitano-admin/rules/trove-project.lace b/gitano-admin/rules/trove-project.lace index 5ba9e37..383ba98 100644 --- a/gitano-admin/rules/trove-project.lace +++ b/gitano-admin/rules/trove-project.lace @@ -4,7 +4,7 @@ # | || | | (_) \ V / __/ # |_||_| \___/ \_/ \___| # -# Copyright 2012 Codethink Limited +# Copyright 2012,2013 Codethink Limited # # Rules for ##PREFIX##/... repositories @@ -17,6 +17,7 @@ allow "Project writers may write" op_write project_writer deny "This repository is not for you" op_write # Ref based rules for the repo +deny "Non-personal branches may not be rewound/rebased" op_forcedupdate !ref_is_personal ## Master allow "Master may be created" op_createref master_ref |