Don't allow cloning of config repo if anon isn't set to read-write

charmbracelet · Oct 4, 2021 · e198dc4 · e198dc4
1 parent 73edc31
commit e198dc4
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/config/auth.go b/config/auth.go
@@ -38,9 +38,14 @@ func (cfg *Config) accessForKey(repo string, pk ssh.PublicKey) gm.AccessLevel {
 					return gm.ReadWriteAccess
 				}
 			}
-			return gm.ReadOnlyAccess
+			if repo != "config" {
+				return gm.ReadOnlyAccess
+			}
 		}
 	}
+	if repo == "config" && (cfg.AnonAccess != "read-write") {
+		return gm.NoAccess
+	}
 	switch cfg.AnonAccess {
 	case "no-access":
 		return gm.NoAccess