One approach could be to write a script that gets triggered by every change on refs/meta/config in all projects but project P, that would make sure that "read = BLOCK group X" is there in all the projects but P.
Obviously it is less than ideal...
And the script would have to make sure that there are no exceptions, accidental or not, in the project.config, because:
From the Permission evaluation reference [1]:
BLOCK rules can have exceptions defined on the same project (eg. BLOCK anonymous users, ie. everyone, but make an exception for Admin users), either by:
- adding ALLOW PermissionRules in the same Permission. This implies they apply to the same ref pattern.
- adding an ALLOW Permission in the same project with a more specific ref pattern, but marked "exclusive". This allows them to apply to different ref patterns.
I'm starting to think that, especially because of the second of the above, there is no way to achieve what I want.
I really hope someone can prove me wrong:)
Paweł