This should address both:

repo arepo
  RW          = @developer
  -  master$  = @developer

  RW                     = user1
  - master and VREF/NAME/adirectory = user1

The access rules and refex pages explain how /refs/head/master branch is denied for push for @developer.

The Virtual Refs 'NAME' allows you to deny push for a given directory or file.

The Drew Lesueur adds in the comments:

  - master VREF/NAME/adirectory = user1

It seems to not be doing an "and" condition but an "or" for us - master VREF/NAME/adirectory = user1
I ended up writing a custom VREF script for what I needed

I confirm that, in this case, only a custom VREF can match the OP's requirements, until gitolite 3.5 (and the introduction of 'and'): see sitaram (creator of gitolite)'s answer.

As of v3.5, you can do this:

(1) add this line

'refex-expr',

somewhere inside the ENABLE hash in the .gitolite.rc file.

(2) use rules like this:

repo r1
    RW+ master                          =   user
    RW+                                 =   user
    RW+ VREF/NAME/Makefile              =   user
    -   master and VREF/NAME/Makefile   =   user

Documentation (including warnings!) is inside src/VREF/refex-expr. There are some other neat examples in there.

Please note that I do not follow SO/SE/etc.; IMO the gitolite mailing list is the correct place for questions about gitolite.

However, someone pointed this one out to me, and since it referenced a very recent feature I thought I'd chip in.

-- sitaram