Gitolite restrict access to branch

I have GITOLITE on my server and I want to configure access to my repository. I want to restrict access to some branches for some users. I try a lot of variants how to configure gitolite.conf file and I didn’t find solution how to restrict acces to some branches.

1)

  • mercurial - see changes on the branch ignoring all the merge commits
  • Using Git, show all commits that are in one branch, but not the other(s)
  • git-flow: workflow for making “release candidates” / QA web artifacts
  • EGit: why “Local branch as upstream is not recommended”?
  • Copying an untracked folder to another branch
  • Is using “feature branches” compatible with refactoring?
  • @developers1 = user1
    @developers2 = user2
    
    repo dbatest 
       RW+    = @developers1
       R test = @developers2
       - test = @developers2
       RW+    = @developers2
    

    When user2 executed command: git push origin test: push succeed
    In gitolite log I had this lines:

    http    ARGV=user2  SOC=git-receive-pack 'dbatest'  FROM=10.65.184.239
    6453    pre_git dbatest user2   W   any refs/.*
    6453    system,git,http-backend
    6453    END
    

    2)

    @developers1 = user1
    @developers2 = user2
    
    repo dbatest 
       RW+    = @developers1
       - test = @developers2
       RW+    = @developers2
    

    When user2 executed command: git push origin test: push succeed
    In gitolite log I had this lines:

    http    ARGV=user2  SOC=git-receive-pack 'dbatest'  FROM=10.65.184.239
    6457    pre_git dbatest user2   W   any refs/.*
    6457        system,git,http-backend
    6457    END
    

    3)

    @developers1 = user1
    @developers2 = user2
    
    repo dbatest 
       RW+    = @developers1
       R test = @developers2
       - test = @developers2
       RW+    = @developers2
       option deny-rules = 1
    

    When user2 executed command: git push origin test: push denied and he saw this message:

    fatal: remote error: FATAL: W any dbatest user2 DENIED by refs/heads/test
    (or you mis-spelled the reponame)
    

    And in gitolite log i had this:

    8161    http    ARGV=user2  SOC=git-receive-pack 'dbatest'  FROM=10.65.184.239
    8161    die W any dbatest user2 DENIED by refs/heads/test<<newline>>(or you mis-spelled the reponame)
    

    It’s look like good, but when he try to push something into the master branch he had this meesage to.

    I tryed mix this lines in my gitolite config file but they didn’t work for me.

    I will be happy if someone can help me with it. I want to restrict write access to some branches for some developers. I cann’t create additional repository I must to use restrict policy on one main repository.

    Big Thanks!

  • How to setup a Git server which use User/Password?
  • How should gitflow hotfixes work?
  • git: all local branches are behind the remote. How can I bring them all up to the remote state?
  • Can you close a Mercurial branch without updating to it first?
  • Showing Git branch structure
  • how to fix: you are not allowed to push code to protected branches on this project
  • 2 Solutions collect form web for “Gitolite restrict access to branch”

    If I look at the official documentation:

    repo foo bar
    
        RW+                     =   alice @teamleads
        -   master              =   dilbert @devteam
        -   refs/tags/v[0-9]    =   dilbert @devteam
        RW+ dev/                =   dilbert @devteam
        RW                      =   dilbert @devteam
        R                       =   @managers
    

    dilbert and the dev team has these restrictions

    they can do anything to branches whose names start with "dev/"
    **they can create or fast-forward push, but not rewind or delete, any branch except `master`**
    

    So this looks right:

    - test  = @developers2
       RW+  = @developers2
    

    However gitolite has two checks:

    • one when the ref is unknown (in which case - test is ignored),
    • one for the ref is known.

    In your case, the ref (test) should be known and the deny rule apply.

    You can debug more by tracing the logic of your specific rules with:

    gitolite access -s dbatest user2 W test
    

    The OP Sufelfay confirms in the comments that it works with 3.5.3, not with 3.6.x.

    As Sufelfay said in the comments to the other posting, this is a bug in recent versions of Gitolite.

    The access check is split into two phases. During the inital phase the ref is unknown and Gitolite is supposed to skip all rules referring to refs.

    In fact, however, it applies all rules but ignores the ref specification. Thus …

    - test = @developers2
    

    … is evaluated as …

    - = @developers2
    

    … during the first phase. To make matters worse, the error indicates the very last rule which was processed. This rule may be unrelated.

    As workaround you can add an access rule for any before the deny rules:

    RW  any   =  @developers2
    -   test  =  @developers2
    ...
    
    Git Baby is a git and github fan, let's start git clone.