Skip to content

Commit

Permalink
document that @ALL doesnt work as expected in deny rules
Browse files Browse the repository at this point in the history 
@ALL in a deny rule doesnt work as it might look in the config file,
because @ALL rights are checked last.  This is fine if you dont have any
DENYs (and so rule order doesn't matter), but with DENY it causes some
problems.

I never bothered to document it because I did not expect that any repo
that is "serious" enough to have deny rules *at all* should then allow
*any* kind of "write* access to @ALL.  That's a very big contradiction
in terms of paranoia!

Translation: this will not be supported.  Don't bother asking.  You know
who you are :)
  • Loading branch information
Sitaram Chamarty committed Dec 5, 2009
1 parent e6da853 commit 8a4bb45
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 5 deletions.
3 changes: 2 additions & 1 deletion conf/example.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -131,7 +131,8 @@ repo git

# ***IMPORTANT NOTE: if you use deny rules, the order of the rules also makes
# a difference, where earlier it did not. Please review your ruleset
# carefully or test it***. Or ask me.
# carefully or test it. In particular, do not use `@all` in a deny rule -- it
# won't work as you might expect***.

# in the example above, you cannot easily say "anyone can write any tag,
# except version tags can only be written by junio". The following might look
Expand Down
9 changes: 5 additions & 4 deletions doc/3-faq-tips-etc.mkd
View file
Original file line number Diff line number Diff line change
Expand Up @@ -404,6 +404,11 @@ that code path to better use :-)

#### "exclude" (or "deny") rules

***IMPORTANT CAVEAT: if you use deny rules, the order of the rules also makes
a difference, where earlier it did not. Please review your ruleset carefully
or test it. In particular, do not use `@all` in a deny rule -- it won't work
as you might expect***.

Take a look at the following snippet, which *seems* to say that "bruce" can
write versioned tags (anything containing `refs/tags/v[0-9]`), but the other
staffers can't:
Expand Down Expand Up @@ -447,10 +452,6 @@ And here's how it works:
before the third one, and it has a `-` as the permission, so the push
fails

***IMPORTANT NOTE: if you use deny rules, the order of the rules also makes a
difference, where earlier it did not. Please review your ruleset carefully or
test it***. Or ask me.

#### "personal" branches

"personal" branches are great for corporate environments, where
Expand Down

0 comments on commit 8a4bb45

Please sign in to comment.