Skip to content
Browse files

overriding config values: add second use case

  • Loading branch information...
1 parent e7a43b8 commit 7973d2ab35a05e26047d18a449e4261ace8a448b @sitaramc committed
Showing with 43 additions and 16 deletions.
  1. +1 −1 git-config.mkd
  2. +2 −1 options.mkd
  3. +40 −14 rules.mkd
2 git-config.mkd
@@ -54,7 +54,7 @@ available to [wild][] repos.
config hooks.mailinglist = %GL_REPO-commits@example.tld
config hooks.emailprefix = "[%GL_REPO] "
-## overriding config values
+## #override_conf overriding config values
You can repeat the 'config' line as many times as you like, and the *last*
occurrence will be the one in effect. This allows you to override settings
3 options.mkd
@@ -5,7 +5,8 @@ setting "options".
A line like 'option foo = 1' is really just syntactic sugar for 'config = 1', so everything in the [git-config][] page also
-applies here.
+applies here (especially the bit about [overriding config
Options are set by repo. The syntax is very simple:
54 rules.mkd
@@ -167,30 +167,56 @@ that matches it", up at the top of this document.
The access rules above show that you cannot make an exception to a group for
the first check, i.e., you cannot lock Wally out of read access that other
-members of @staff have.
+members of @staff have, because read access does not look at "deny" rules by
-Here's another situation. Let's say you have this at the end of your
-gitolite.conf file:
+This section will show how to make that happen. We'll use ['gitweb' and
+'daemon'][external] instead of Wally, but it could, of course, be any user or
+group or list (like, say, '@interns') that needs to be restricted.
+We'll consider two cases. In the first case, the "secret" repos are fewer in
+number, and are enumerated in some group called @secret for convenience.
+ # put this at or near the top of the conf file, or at least before any
+ # rules that give 'gitweb' and 'daemon' any kind of access
+ repo @secret
+ - = gitweb daemon
+ option deny-rules = 1
+ # make sure you do not set deny-rules to 0 for these repos later
+Now imagine, worst case, you have this somewhere after the above:
repo @all
- R = gitweb daemon
+ R = @all
+The "deny-rules" option applies, as you can see, only to the secret repos. It
+forces gitolite to pay attention to any deny rules, and since the deny rule
+for those two users appears first, access is denied to them.
-but you don't want the gitolite-admin repo showing up on gitweb. This is the
-same situation -- you want to make an exception in '@all' this time.
+The second case is where the "open" repos are fewer.
-Here's how to do that:
+ # put this at or near the top of the conf file, or at least before any
+ # rules that give 'gitweb' and 'daemon' any access
- repo gitolite-admin
+ repo @all
- = gitweb daemon
option deny-rules = 1
- repo @all
+ repo @open
R = gitweb daemon
+ option deny-rules = 0
+ # make sure you do not set deny-rules to 1 for these repos later
+To see why this works, you need to remember that for [options][] and
+[config][git-config] lines, a later setting [overrides][override_conf] earlier
+ones. So we set it to 1 for all repos, then selectively set it to 0 for some.
-When you set the 'deny-rules' option for a repo, you're telling the pre-git
-checks (i.e., the read access check and the first write access check), to pay
-attention to the deny rules, which otherwise they ignore.
+This means the "deny-rules" option applies to *all the repos except the "open"
+repos*, so the deny rule kicks in and denies access to those repos for those
Note that, any time deny rules are in play, the order matters; the `-` rule
-must come *before* the `R` rule. Also, as a reminder, refexes are ignored for
-the first check.
+must come *before* the `R` rule. That is why the comments tell you to put
+that stuff at the top of the conf. Also, as a reminder, refexes are ignored
+for the first check.

0 comments on commit 7973d2a

Please sign in to comment.
Something went wrong with that request. Please try again.