summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--docs/01_setup.mkd21
-rw-r--r--src/com/gitblit/Constants.java4
-rw-r--r--src/com/gitblit/wicket/GitBlitWebApp.properties3
-rw-r--r--src/com/gitblit/wicket/pages/BasePage.java3
-rw-r--r--tests/com/gitblit/tests/PermissionsTest.java26
5 files changed, 53 insertions, 4 deletions
diff --git a/docs/01_setup.mkd b/docs/01_setup.mkd
index 6d015a3e..c19f7fb1 100644
--- a/docs/01_setup.mkd
+++ b/docs/01_setup.mkd
@@ -266,7 +266,26 @@ These permission codes are combined with the repository path to create a user pe
Gitblit also supports *case-insensitive* regex matching for repository permissions. The following permission grants push privileges to all repositories in the *mygroup* folder.
- RW:mygroup/[a-z0-9-~_\\./]+
+ RW:mygroup/.*
+
+##### Exclusions
+
+When using regex matching it may also be useful to exclude specific repositories or to exclude regex repository matches. You may specify the **X** permission for exclusion. The following example grants clone permission to all repositories except the repositories in mygroup. The user/team will have no access whatsoever to these repositories.
+
+ X:mygroup/.*
+ R:.*
+
+##### Order is Important
+
+The preceding example should suggest that order of permissions is important with regex matching. Here are the rules for determining the permission that is applied to a repository request:
+
+1. If the user is an admin or repository owner, then RW+
+2. Else if user has an explicit permission, use that
+3. Else check for the first regex match in user permissions
+4. Else check for the HIGHEST permission from team memberships
+ 1. If the team is an admin team, then RW+
+ 2. Else if a team has an explicit permission, use that
+ 3. Else check for the first regex match in team permissions
#### No-So-Discrete Permissions (Gitblit <= v1.1.0)
diff --git a/src/com/gitblit/Constants.java b/src/com/gitblit/Constants.java
index 970c3db5..33cf2873 100644
--- a/src/com/gitblit/Constants.java
+++ b/src/com/gitblit/Constants.java
@@ -319,9 +319,9 @@ public class Constants {
* The access permissions available for a repository.
*/
public static enum AccessPermission {
- NONE("N"), VIEW("V"), CLONE("R"), PUSH("RW"), CREATE("RWC"), DELETE("RWD"), REWIND("RW+");
+ NONE("N"), EXCLUDE("X"), VIEW("V"), CLONE("R"), PUSH("RW"), CREATE("RWC"), DELETE("RWD"), REWIND("RW+");
- public static final AccessPermission [] NEWPERMISSIONS = { VIEW, CLONE, PUSH, CREATE, DELETE, REWIND };
+ public static final AccessPermission [] NEWPERMISSIONS = { EXCLUDE, VIEW, CLONE, PUSH, CREATE, DELETE, REWIND };
public static AccessPermission LEGACY = REWIND;
diff --git a/src/com/gitblit/wicket/GitBlitWebApp.properties b/src/com/gitblit/wicket/GitBlitWebApp.properties
index 41cbdd46..09ee929b 100644
--- a/src/com/gitblit/wicket/GitBlitWebApp.properties
+++ b/src/com/gitblit/wicket/GitBlitWebApp.properties
@@ -348,7 +348,8 @@ gb.repositoryPermissions = repository permissions
gb.userPermissions = user permissions
gb.teamPermissions = team permissions
gb.add = add
-gb.noPermission = NO ACCESS
+gb.noPermission = DELETE PERMISSION
+gb.excludePermission = {0} (exclude)
gb.viewPermission = {0} (view)
gb.clonePermission = {0} (clone)
gb.pushPermission = {0} (push)
diff --git a/src/com/gitblit/wicket/pages/BasePage.java b/src/com/gitblit/wicket/pages/BasePage.java
index 48a872a8..dcca3619 100644
--- a/src/com/gitblit/wicket/pages/BasePage.java
+++ b/src/com/gitblit/wicket/pages/BasePage.java
@@ -212,6 +212,9 @@ public abstract class BasePage extends WebPage {
case NONE:
map.put(type, MessageFormat.format(getString("gb.noPermission"), type.code));
break;
+ case EXCLUDE:
+ map.put(type, MessageFormat.format(getString("gb.excludePermission"), type.code));
+ break;
case VIEW:
map.put(type, MessageFormat.format(getString("gb.viewPermission"), type.code));
break;
diff --git a/tests/com/gitblit/tests/PermissionsTest.java b/tests/com/gitblit/tests/PermissionsTest.java
index befd3603..b6ffa626 100644
--- a/tests/com/gitblit/tests/PermissionsTest.java
+++ b/tests/com/gitblit/tests/PermissionsTest.java
@@ -2533,6 +2533,32 @@ public class PermissionsTest extends Assert {
assertFalse("user CAN delete!", user.canDelete(personal));
assertFalse("user CAN edit!", user.canEdit(personal));
}
+
+ @Test
+ public void testExclusion() throws Exception {
+ RepositoryModel personal = new RepositoryModel("~ubercool/_my-r/e~po.git", null, null, new Date());
+ personal.authorizationControl = AuthorizationControl.NAMED;
+ personal.accessRestriction = AccessRestrictionType.VIEW;
+
+ UserModel user = new UserModel("test");
+ user.setRepositoryPermission("~ubercool/.*", AccessPermission.EXCLUDE);
+ user.setRepositoryPermission(".*", AccessPermission.PUSH);
+
+ // has EXCLUDE access because first match is EXCLUDE permission
+ assertTrue("user DOES NOT HAVE a repository permission!", user.hasRepositoryPermission(personal.name));
+ assertFalse("user CAN NOT view!", user.canView(personal));
+ assertFalse("user CAN NOT clone!", user.canClone(personal));
+ assertFalse("user CAN push!", user.canPush(personal));
+
+ assertFalse("user CAN create ref!", user.canCreateRef(personal));
+ assertFalse("user CAN delete ref!", user.canDeleteRef(personal));
+ assertFalse("user CAN rewind ref!", user.canRewindRef(personal));
+
+ assertFalse("user CAN fork!", user.canFork(personal));
+
+ assertFalse("user CAN delete!", user.canDelete(personal));
+ assertFalse("user CAN edit!", user.canEdit(personal));
+ }
@Test
public void testAdminTeamInheritance() throws Exception {
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-08 11:10:11 +0000