Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

overriding config values: add second use case

  • Loading branch information...
commit 7973d2ab35a05e26047d18a449e4261ace8a448b 1 parent e7a43b8
Sitaram Chamarty authored
2  git-config.mkd
Source Rendered
@@ -54,7 +54,7 @@ available to [wild][] repos.
54 54
         config hooks.mailinglist = %GL_REPO-commits@example.tld
55 55
         config hooks.emailprefix = "[%GL_REPO] "
56 56
 
57  
-## overriding config values
  57
+## #override_conf overriding config values
58 58
 
59 59
 You can repeat the 'config' line as many times as you like, and the *last*
60 60
 occurrence will be the one in effect.  This allows you to override settings
3  options.mkd
Source Rendered
@@ -5,7 +5,8 @@ setting "options".
5 5
 
6 6
 A line like 'option foo = 1' is really just syntactic sugar for 'config
7 7
 gitolite-options.foo = 1', so everything in the [git-config][] page also
8  
-applies here.
  8
+applies here (especially the bit about [overriding config
  9
+values][override_conf]).
9 10
 
10 11
 Options are set by repo.  The syntax is very simple:
11 12
 
54  rules.mkd
Source Rendered
@@ -167,30 +167,56 @@ that matches it", up at the top of this document.
167 167
 
168 168
 The access rules above show that you cannot make an exception to a group for
169 169
 the first check, i.e., you cannot lock Wally out of read access that other
170  
-members of @staff have.
  170
+members of @staff have, because read access does not look at "deny" rules by
  171
+default.
171 172
 
172  
-Here's another situation.  Let's say you have this at the end of your
173  
-gitolite.conf file:
  173
+This section will show how to make that happen.  We'll use ['gitweb' and
  174
+'daemon'][external] instead of Wally, but it could, of course, be any user or
  175
+group or list (like, say, '@interns') that needs to be restricted.
  176
+
  177
+We'll consider two cases.  In the first case, the "secret" repos are fewer in
  178
+number, and are enumerated in some group called @secret for convenience.
  179
+
  180
+    # put this at or near the top of the conf file, or at least before any
  181
+    # rules that give 'gitweb' and 'daemon' any kind of access
  182
+
  183
+    repo @secret
  184
+        -   =   gitweb daemon
  185
+        option deny-rules = 1
  186
+        # make sure you do not set deny-rules to 0 for these repos later
  187
+
  188
+Now imagine, worst case, you have this somewhere after the above:
174 189
 
175 190
     repo @all
176  
-        R   =   gitweb daemon
  191
+        R   =   @all
  192
+
  193
+The "deny-rules" option applies, as you can see, only to the secret repos.  It
  194
+forces gitolite to pay attention to any deny rules, and since the deny rule
  195
+for those two users appears first, access is denied to them.
177 196
 
178  
-but you don't want the gitolite-admin repo showing up on gitweb.  This is the
179  
-same situation -- you want to make an exception in '@all' this time.
  197
+The second case is where the "open" repos are fewer.
180 198
 
181  
-Here's how to do that:
  199
+    # put this at or near the top of the conf file, or at least before any
  200
+    # rules that give 'gitweb' and 'daemon' any access
182 201
 
183  
-    repo gitolite-admin
  202
+    repo @all
184 203
         -   =   gitweb daemon
185 204
         option deny-rules = 1
186 205
 
187  
-    repo @all
  206
+    repo @open
188 207
         R   =   gitweb daemon
  208
+        option deny-rules = 0
  209
+        # make sure you do not set deny-rules to 1 for these repos later
  210
+
  211
+To see why this works, you need to remember that for [options][] and
  212
+[config][git-config] lines, a later setting [overrides][override_conf] earlier
  213
+ones.  So we set it to 1 for all repos, then selectively set it to 0 for some.
189 214
 
190  
-When you set the 'deny-rules' option for a repo, you're telling the pre-git
191  
-checks (i.e., the read access check and the first write access check), to pay
192  
-attention to the deny rules, which otherwise they ignore.
  215
+This means the "deny-rules" option applies to *all the repos except the "open"
  216
+repos*, so the deny rule kicks in and denies access to those repos for those
  217
+users.
193 218
 
194 219
 Note that, any time deny rules are in play, the order matters; the `-` rule
195  
-must come *before* the `R` rule.  Also, as a reminder, refexes are ignored for
196  
-the first check.
  220
+must come *before* the `R` rule.  That is why the comments tell you to put
  221
+that stuff at the top of the conf.  Also, as a reminder, refexes are ignored
  222
+for the first check.

0 notes on commit 7973d2a

Please sign in to comment.
Something went wrong with that request. Please try again.