{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 迷人小祖宗 的问题《Gitolite restrict access to branch》','https://www.manongdao.com/q-312797.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have GITOLITE on my server and I want to configure access to my repository. I want to restrict access to some branches for some users. I try a lot of variants how to configure gitolite.conf file and I didn't find solution how to restrict acces to some branches.
1)
@developers1 = user1
@developers2 = user2
repo dbatest
RW+ = @developers1
R test = @developers2
- test = @developers2
RW+ = @developers2
When user2 executed command: git push origin test: push succeed
In gitolite log I had this lines:
http ARGV=user2 SOC=git-receive-pack 'dbatest' FROM=10.65.184.239
6453 pre_git dbatest user2 W any refs/.*
6453 system,git,http-backend
6453 END
2)
@developers1 = user1
@developers2 = user2
repo dbatest
RW+ = @developers1
- test = @developers2
RW+ = @developers2
When user2 executed command: git push origin test: push succeed
In gitolite log I had this lines:
http ARGV=user2 SOC=git-receive-pack 'dbatest' FROM=10.65.184.239
6457 pre_git dbatest user2 W any refs/.*
6457 system,git,http-backend
6457 END
3)
@developers1 = user1
@developers2 = user2
repo dbatest
RW+ = @developers1
R test = @developers2
- test = @developers2
RW+ = @developers2
option deny-rules = 1
When user2 executed command: git push origin test: push denied and he saw this message:
fatal: remote error: FATAL: W any dbatest user2 DENIED by refs/heads/test
(or you mis-spelled the reponame)
And in gitolite log i had this:
8161 http ARGV=user2 SOC=git-receive-pack 'dbatest' FROM=10.65.184.239
8161 die W any dbatest user2 DENIED by refs/heads/test<<newline>>(or you mis-spelled the reponame)
It's look like good, but when he try to push something into the master branch he had this meesage to.
I tryed mix this lines in my gitolite config file but they didn't work for me.
I will be happy if someone can help me with it. I want to restrict write access to some branches for some developers. I cann't create additional repository I must to use restrict policy on one main repository.
Big Thanks!
If I look at the official documentation:
So this looks right:
However gitolite has two checks:
- testis ignored),In your case, the ref (test) should be known and the deny rule apply.
You can debug more by tracing the logic of your specific rules with:
The OP Sufelfay confirms in the comments that it works with 3.5.3, not with 3.6.x.
As Sufelfay said in the comments to the other posting, this is a bug in recent versions of Gitolite.
The access check is split into two phases. During the inital phase the ref is unknown and Gitolite is supposed to skip all rules referring to refs.
In fact, however, it applies all rules but ignores the ref specification. Thus ...
... is evaluated as ...
... during the first phase. To make matters worse, the error indicates the very last rule which was processed. This rule may be unrelated.
As workaround you can add an access rule for
anybefore the deny rules: