doc/3: couple of clarifications
- deny rules only apply to "W" ops - be more specific about what allows "R" to pass
This commit is contained in:
Sitaram Chamarty
parent
98d73965b6
commit
b4a65ab73c
|
|
@ -217,8 +217,8 @@ Note that at this point no git program has entered the picture, and we have no
|
|||
way of knowing what **ref** (branch, tag, etc) he is trying to update, even if
|
||||
it is a "write" operation.
|
||||
|
||||
For a "read" operation to pass this check, the username (or `@all`) must be
|
||||
mentioned on some line in the config for this repo.
|
||||
For a "read" operation to pass this check, the username (or `@all`) must have
|
||||
read permission (i.e., R, RW, or RW+) on at least one branch of the repo.
|
||||
|
||||
For a "write" operation, there is an additional restriction: lines specifying
|
||||
only `R` (read access) don't count. *The user must have write access to
|
||||
|
|
@ -501,7 +501,9 @@ that code path to better use :-)
|
|||
***IMPORTANT CAVEAT: if you use deny rules, the order of the rules also makes
|
||||
a difference, where earlier it did not. Please review your ruleset carefully
|
||||
or test it. In particular, do not use `@all` in a deny rule -- it won't work
|
||||
as you might expect***.
|
||||
as you might expect***. Also, deny rules are only processed in the second
|
||||
level checks (see "two levels of access rights checking" above), which means
|
||||
they only apply to write operations.
|
||||
|
||||
Take a look at the following snippet, which *seems* to say that "bruce" can
|
||||
write versioned tags (anything containing `refs/tags/v[0-9]`), but the other
|
||||
|
|
|
|||
Loading…
Reference in a new issue