In the previous chapter, when we looked at the deny
rules, we showed them only in the context of a write operation, controlling whether a certain branch or tag can be pushed or not.
By default, the deny rules are not examined when checking read access. So something like the following:
@junior-devs = alice bob carol repo foo - = bob RW+ = @junior-devs
will not prevent Bob from at least reading the repository (that is, using git clone
or git fetch
), even though the deny rule appears first.
However, it is possible to make Gitolite act on deny rules in this case also. This is achieved by specifying a Gitolite option called deny-rules
, as follows:
repo foo - = bob RW+ = @junior-devs option deny-rules = 1
Now Bob will not even be able to clone the repository.