--- a/setup/resources/model.conf Wed Sep 11 23:26:04 2019 -0500
+++ b/setup/resources/model.conf Wed Sep 11 23:28:54 2019 -0500
@@ -1,13 +1,24 @@
# This is a https://casbin.org model for implementing role based access control.
-# This model is nearly identical to the `RBAC with deny-override` define on-# https://casbin.org/en/editor, but has the addition of falling back to a-# "public" user/subject in the matcher if the requested role does not match+# This model is based on the priorty example from the casbin documentation. It +# will evaluate polcies in a top to bottom approach accepting the first one that +# matches. This means that you have to be care when defining your policies. +# Say you would like to disable public access by default but then grant it to +# specific repositories later. This would need to be defined in the following -# In theory you should be able to swap this model out with another one that fits-# your needs (remembering to update your policy.csv as well), but this has not+# p, public, /foo, read, allow +# p, public, /*, read, deny +# If it was instead written as the following, the deny rule would be the first +# one matched and thus the allow would never be considered. +# p, public, /*, read, deny +# p, public, /foo, read, allow +# If this model does not work for you, you are able to change it thanks to @@ -17,9 +28,10 @@
-e = some(where (p.eft == allow)) && !some(where (p.eft == deny))+e = priority(p.eft) || deny -m = (g(r.sub, p.sub) || p.sub == "public") && keyMatch(r.obj, p.obj) && access(r.act, p.act)+m = (g(r.sub, p.sub) || p.sub == "public") && keyMatch(r.obj, p.obj) && g2(r.act, p.act) --- a/setup/resources/policy.csv.template Wed Sep 11 23:26:04 2019 -0500
+++ b/setup/resources/policy.csv.template Wed Sep 11 23:28:54 2019 -0500
@@ -16,22 +16,27 @@
# * effect is one of allow or deny.
+# The first policy that matches will be honored, so you'll want your +# restrictive policies first and your permissive policies last. # More than one policy can match, but if any of the matching policies is a deny,
# then the deny is honored and the user is denied permission.
-# allow all authenticated users to read everything-p, public, /*, read, allow # give users in the admins group the ability to create repositories everywhere.
p, admins, /*, init, allow
+# give admins write access to the {{.AdminRepo}} repo +p, admins, {{.AdminRepo}}, write, allow # deny authenticated, but not explicitly defined users read access to the
-p, public, /hgkeeper, read, deny+p, public, {{.AdminRepo}}, read, deny +# finally allow all authenticated users to read everything +p, public, /*, read, allow
+############################################################################### +############################################################################### # The format of a group is as follows:
@@ -43,3 +48,13 @@
# This value was adding during when the setup command was run to add
# {{.AdminUsername}} to the admins group.
g, {{.AdminUsername}}, admins
+############################################################################### +############################################################################### +# give the write action read permission +# give the init action write permission (which has read) 