Don't allow cloning of `config` repo if anon isn't set to read-write

Toby Padilla created 4 years ago

Change summary

config/auth.go | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)

Detailed changes

config/auth.go 🔗

@@ -38,9 +38,14 @@ func (cfg *Config) accessForKey(repo string, pk ssh.PublicKey) gm.AccessLevel {
 					return gm.ReadWriteAccess
 				}
 			}
-			return gm.ReadOnlyAccess
+			if repo != "config" {
+				return gm.ReadOnlyAccess
+			}
 		}
 	}
+	if repo == "config" && (cfg.AnonAccess != "read-write") {
+		return gm.NoAccess
+	}
 	switch cfg.AnonAccess {
 	case "no-access":
 		return gm.NoAccess