document deny rules a bit better
This commit is contained in:
Sitaram Chamarty
Sitaram Chamarty
parent
43da598c08
commit
09195afd44
|
|
@ -142,10 +142,18 @@ repo git
|
||||||
|
|
||||||
# DENY/EXCLUDE RULES
|
# DENY/EXCLUDE RULES
|
||||||
|
|
||||||
# ***IMPORTANT NOTE: if you use deny rules, the order of the rules also makes
|
# ***IMPORTANT NOTES ABOUT "DENY" RULES***:
|
||||||
# a difference, where earlier it did not. Please review your ruleset
|
|
||||||
# carefully or test it. In particular, do not use `@all` in a deny rule -- it
|
# - deny rules do NOT affect read access. They only apply to `W` and `+`.
|
||||||
# won't work as you might expect***.
|
#
|
||||||
|
# - when using deny rules, the order of your rules starts to matter, where
|
||||||
|
# earlier it did not. The first matching rule applies, where "matching" is
|
||||||
|
# defined as either permitting the operation you're attempting (`W` or `+`),
|
||||||
|
# which results in success, or a "deny" (`-`), which results in failure.
|
||||||
|
# (As before, a fallthrough also results in failure).
|
||||||
|
#
|
||||||
|
# - do not use `@all` when your config has any deny rules; it won't work as
|
||||||
|
# you probably expect it to!
|
||||||
|
|
||||||
# in the example above, you cannot easily say "anyone can write any tag,
|
# in the example above, you cannot easily say "anyone can write any tag,
|
||||||
# except version tags can only be written by junio". The following might look
|
# except version tags can only be written by junio". The following might look
|
||||||
|
|
@ -161,10 +169,6 @@ repo git
|
||||||
- refs/tags/v[0-9] = linus pasky @others
|
- refs/tags/v[0-9] = linus pasky @others
|
||||||
RW refs/tags/ = junio linus pasky @others
|
RW refs/tags/ = junio linus pasky @others
|
||||||
|
|
||||||
# Briefly, the rule is: the first matching refex that has the operation you're
|
|
||||||
# looking for (`W` or `+`), or a minus (`-`), results in success, or failure,
|
|
||||||
# respectively. A fallthrough also results in failure
|
|
||||||
|
|
||||||
# FILE/DIR NAME BASED RESTRICTIONS
|
# FILE/DIR NAME BASED RESTRICTIONS
|
||||||
# --------------------------------
|
# --------------------------------
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -499,12 +499,9 @@ that code path to better use :-)
|
||||||
|
|
||||||
#### "exclude" (or "deny") rules
|
#### "exclude" (or "deny") rules
|
||||||
|
|
||||||
***IMPORTANT CAVEAT: if you use deny rules, the order of the rules also makes
|
Here is an illustrative explanation of "deny" rules. However, please be sure
|
||||||
a difference, where earlier it did not. Please review your ruleset carefully
|
to read the "DENY/EXCLUDE RULES" section in `conf/example.conf` for important
|
||||||
or test it. In particular, do not use `@all` in a deny rule -- it won't work
|
notes/caveats before using "deny" rules.
|
||||||
as you might expect***. Also, deny rules are only processed in the second
|
|
||||||
level checks (see "two levels of access rights checking" above), which means
|
|
||||||
they only apply to write operations.
|
|
||||||
|
|
||||||
Take a look at the following snippet, which *seems* to say that "bruce" can
|
Take a look at the following snippet, which *seems* to say that "bruce" can
|
||||||
write versioned tags (anything containing `refs/tags/v[0-9]`), but the other
|
write versioned tags (anything containing `refs/tags/v[0-9]`), but the other
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue