The default permissions are initialized on "All-Projects" creation. This
currently grants the following access permissions on refs/*:
[access "refs/*"]
read = group Administrators
read = group Anonymous Users
revert = group Registered Users
This change modifies these default permissions and moves the second and
third rows to the refs/heads/* section instead.
[access "refs/*"]
read = group Administrators
[access "refs/heads/*"]
read = group Anonymous Users
revert = group Registered Users
With this change, refs/draft-comments, refs/starred-changes and
refs/meta/version are not accessible anymore. For the first two, I
modified the code so that they are implicitly visible to all users. This
won't hurt since we only allow access to the refs belonging to the
calling user (e.g. a user cannot view drafts of another user). For
refs/meta/version, I added a section for it in All-Projects
initialization, such that anonymous users are granted read access.
In the future, we can remove visibility to refs/draft-comments and
refs/starred-changes since they are not actually needed. We keep them in
this change to preserve the current behavior for refs visibility.
Change-Id: I770cd11f10cfb369abe00d34fe9a3287bdf62cfa
3889cceabe