Permissions associated with NOT being in a group or a union

[Andrew Allen]

I'm trying to set up a Gerrit server for use on a project where we want everyone involved to sign a CLA. The way the CLA mechanism works, the user is automatically added to a group (CLA Signed) and then they have all the permissions of that group as soon as they click "I accept". This is great, except that the project isn't publicly available and anyone who found the server could sign up for an account and sign the CLA. Is there a way to set up the permissions to BLOCK read/push/whatever on users who aren't in the CLA group or is there a way to say that for read you need to be in the CLA group and in the project team group?  

[Shawn Pearce]

You can't do AND in the access rules. But you can give push/etc.
permissions to the CLA group and keep read to another group that you
manually manage. If the user doesn't have read, they can't do anything
else so it blocks out the users not yet in the group. You'll have to
manually verify a user is in the CLA group before you add them to the
reader group.

[Andrew Allen]

Perfect! I will give the CLA group push access and leave the read
permission to a manually managed group. Thanks Shawn.

/** ~Andrew Z Allen */