document that @all doesnt work as expected in deny rules

@all in a deny rule doesnt work as it might look in the config file,
because @all rights are checked last.  This is fine if you dont have any
DENYs (and so rule order doesn't matter), but with DENY it causes some
problems.

I never bothered to document it because I did not expect that any repo
that is "serious" enough to have deny rules *at all* should then allow
*any* kind of "write* access to @all.  That's a very big contradiction
in terms of paranoia!

Translation: this will not be supported.  Don't bother asking.  You know
who you are :)
This commit is contained in:
Sitaram Chamarty 2009-12-05 14:41:08 +05:30
parent e6da853082
commit 8a4bb453a0
2 changed files with 7 additions and 5 deletions

View file

@ -131,7 +131,8 @@ repo git
# ***IMPORTANT NOTE: if you use deny rules, the order of the rules also makes # ***IMPORTANT NOTE: if you use deny rules, the order of the rules also makes
# a difference, where earlier it did not. Please review your ruleset # a difference, where earlier it did not. Please review your ruleset
# carefully or test it***. Or ask me. # carefully or test it. In particular, do not use `@all` in a deny rule -- it
# won't work as you might expect***.
# in the example above, you cannot easily say "anyone can write any tag, # in the example above, you cannot easily say "anyone can write any tag,
# except version tags can only be written by junio". The following might look # except version tags can only be written by junio". The following might look

View file

@ -404,6 +404,11 @@ that code path to better use :-)
#### "exclude" (or "deny") rules #### "exclude" (or "deny") rules
***IMPORTANT CAVEAT: if you use deny rules, the order of the rules also makes
a difference, where earlier it did not. Please review your ruleset carefully
or test it. In particular, do not use `@all` in a deny rule -- it won't work
as you might expect***.
Take a look at the following snippet, which *seems* to say that "bruce" can Take a look at the following snippet, which *seems* to say that "bruce" can
write versioned tags (anything containing `refs/tags/v[0-9]`), but the other write versioned tags (anything containing `refs/tags/v[0-9]`), but the other
staffers can't: staffers can't:
@ -447,10 +452,6 @@ And here's how it works:
before the third one, and it has a `-` as the permission, so the push before the third one, and it has a `-` as the permission, so the push
fails fails
***IMPORTANT NOTE: if you use deny rules, the order of the rules also makes a
difference, where earlier it did not. Please review your ruleset carefully or
test it***. Or ask me.
#### "personal" branches #### "personal" branches
"personal" branches are great for corporate environments, where "personal" branches are great for corporate environments, where