diff options
author | Pedro Alvarez <pedro.alvarez@codethink.co.uk> | 2014-06-17 10:06:13 +0000 |
---|---|---|
committer | Pedro Alvarez <pedro.alvarez@codethink.co.uk> | 2014-06-17 11:12:35 +0000 |
commit | 54e3fbd49d10b70d04e03a646a494ec29a49ffc3 (patch) | |
tree | e7d955af0c4ea29f032709fe06f208509fccaa99 /share/gitano/skel/gitano-admin/rules/siteadmin.lace | |
parent | 5b0245acc1b5b1c520db847d70b1b81bafb4d0c2 (diff) | |
download | trove-setup-54e3fbd49d10b70d04e03a646a494ec29a49ffc3.tar.gz |
Move gitano skeleton to /usr/share/trove-setup/
Diffstat (limited to 'share/gitano/skel/gitano-admin/rules/siteadmin.lace')
-rw-r--r-- | share/gitano/skel/gitano-admin/rules/siteadmin.lace | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/share/gitano/skel/gitano-admin/rules/siteadmin.lace b/share/gitano/skel/gitano-admin/rules/siteadmin.lace new file mode 100644 index 0000000..06c71bb --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/siteadmin.lace @@ -0,0 +1,32 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Site administration rules + +# You must explicitly allow site administration here for anyone who +# has the rights to do site admin but isn't an administrator. + +# trove_site_admin is a predicate which matches members of the trove-admin +# group (The site-wide user/group administration group which is not the full +# administration group) +allow "Trove Site Admins can manage users" trove_site_admin op_user +allow "Trove Site Admins can manage groups other than gitano-admin" trove_site_admin op_group !target_group_gitano_admin + +# XXX-managers members are permitted to edit XXX-* groups +define trove_may_admin_target_group group ${targetgroup/prefix}-managers +define target_group_has_hyphen targetgroup ~%- +allow "Trove project managers can manage the groups for their projects" op_group target_group_has_hyphen trove_may_admin_target_group + +# Anyone is permitted to look at the people in trove-admin and *-managers +define trove_target_group_is_trove_admin targetgroup trove-admin +define trove_target_group_is_project_managers targetgroup ~^.+-managers$ +define trove_show_target_ok anyof trove_target_group_is_trove_admin trove_target_group_is_project_managers +allow "Anyone may see admin groups" op_groupshow trove_show_target_ok + +# Otherwise we always deny site administration +deny "You may not perform site administration" |