From 8a4bb453a0d40e90cfab79997c6a32aa8e468e6b Mon Sep 17 00:00:00 2001 From: Sitaram Chamarty Date: Sat, 5 Dec 2009 14:41:08 +0530 Subject: [PATCH] document that @all doesnt work as expected in deny rules @all in a deny rule doesnt work as it might look in the config file, because @all rights are checked last. This is fine if you dont have any DENYs (and so rule order doesn't matter), but with DENY it causes some problems. I never bothered to document it because I did not expect that any repo that is "serious" enough to have deny rules *at all* should then allow *any* kind of "write* access to @all. That's a very big contradiction in terms of paranoia! Translation: this will not be supported. Don't bother asking. You know who you are :) --- conf/example.conf | 3 ++- doc/3-faq-tips-etc.mkd | 9 +++++---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/conf/example.conf b/conf/example.conf index 64ac059..b5ead17 100644 --- a/conf/example.conf +++ b/conf/example.conf @@ -131,7 +131,8 @@ repo git # ***IMPORTANT NOTE: if you use deny rules, the order of the rules also makes # a difference, where earlier it did not. Please review your ruleset -# carefully or test it***. Or ask me. +# carefully or test it. In particular, do not use `@all` in a deny rule -- it +# won't work as you might expect***. # in the example above, you cannot easily say "anyone can write any tag, # except version tags can only be written by junio". The following might look diff --git a/doc/3-faq-tips-etc.mkd b/doc/3-faq-tips-etc.mkd index c112fd4..464a4e5 100644 --- a/doc/3-faq-tips-etc.mkd +++ b/doc/3-faq-tips-etc.mkd @@ -404,6 +404,11 @@ that code path to better use :-) #### "exclude" (or "deny") rules +***IMPORTANT CAVEAT: if you use deny rules, the order of the rules also makes +a difference, where earlier it did not. Please review your ruleset carefully +or test it. In particular, do not use `@all` in a deny rule -- it won't work +as you might expect***. + Take a look at the following snippet, which *seems* to say that "bruce" can write versioned tags (anything containing `refs/tags/v[0-9]`), but the other staffers can't: @@ -447,10 +452,6 @@ And here's how it works: before the third one, and it has a `-` as the permission, so the push fails -***IMPORTANT NOTE: if you use deny rules, the order of the rules also makes a -difference, where earlier it did not. Please review your ruleset carefully or -test it***. Or ask me. - #### "personal" branches "personal" branches are great for corporate environments, where