master TOC | chapter TOC | support | license

WARNING: This is not the latest gitolite; please see the README

advanced access control

"deny" rules

Warning: When using deny rules, the order of your rules matters, where earlier it did not.

PROCESSING LOGIC:

The first matching refex that has the permission you're looking for (W or +) or a minus (-), results in success or failure, respectively. A fallthrough also results in failure.

    RW refs/tags/v[0-9]     = ashok
    -  refs/tags/v[0-9]     = @staff
    RW refs/tags            = @staff

This allows only Ashok to write "version tags" (see rule for Ashok the QA guy somewhere above). The others can write any tags they want, except version tags. To understand this, try and match each rule in sequence with the name of the tag being pushed, and the user doing it, applying the logic described earlier.

rule accumulation

Rules accumulate. Even when separated by rules for other repos. They accumulate intuitively. For example:

repo foo
    RW+             =   alice

repo bar
    RW+             =   dilbert

repo @all
    RW  dev/USER/   =   @staff

repo foo
    RW+ tmp/        =   @staff

has the effective ruleset, for repo foo, of

repo foo
    RW+             =   alice
    RW  dev/USER/   =   @staff
    RW+ tmp/        =   @staff

Just remember that if you use deny rules anywhere then the order of the rules matters!

gitweb and daemon

Gitolite does NOT do anything for gitweb and daemon access except