Standards enforced in All-Projects
In "All-Projects" we set restrictions which can't be overridden by project owners to enforce standard behavior.
E.g. we block:
- read access for anonymous users
- forging the committer and server identity to enforce that we know that only the committer of a change can push it
[project]
description = Permissions inherited by all other projects.
[access "refs/*"]
read = group Registered Users
read = block group Anonymous Users
forgeCommitter = block group Anonymous Users
forgeServerAsCommitter = block group Anonymous Users
viewDrafts = group Administrators
revert = group Registered Users
[access "refs/tags/*"]
exclusiveGroupPermissions = forgeCommitter
[access "refs/meta/config"]
label-Code-Review = -2..+2 group Administrators
label-Verified = -1..+1 group Administrators
submit = group Administrators
create = group Administrators
create = group Project Owners
[access "refs/notes/review"]
push = block group Anonymous Users
[access "refs/meta/*"]
push = group Administrators
[label "Verified"]
function = MaxWithBlock
value = -1 Fails
value = 0 No score
value = +1 Verified
copyAllScoresIfNoCodeChange = true
defaultValue = 0
[label "Code-Review"]
function = MaxWithBlock
copyMinScore = true
value = -2 Do not submit
value = -1 I would prefer that you didnt submit this
value = 0 No score
value = +1 Looks good to me, but someone else must approve
value = +2 Looks good to me, approved
copyAllScoresOnTrivialRebase = true
defaultValue = 0
[receive]
requireContributorAgreement = false
requireSignedOffBy = false
requireChangeId = true
createNewChangeForAllNotInTarget = false
rejectImplicitMerges = true
[submit]
mergeContent = true
[access "refs/for/refs/meta/config"]
push = group Administrators
[access "refs/tags/*"]
push = block group Anonymous Users
delete = block group Anonymous Users
[access "refs/for/*"]
addPatchSet = group Registered Users
[capability]
accessDatabase = group Administrators
administrateServer = group Administrators
createGroup = group Registered Users
delete-project-deleteOwnProject = group Registered Users
priority = batch group Non-Interactive Users
queryLimit = +0..+500 group Registered Users
queryLimit = group Anonymous Users
serviceuser-createServiceUser = group Registered Users
streamEvents = group Registered Users