From e198dc489d2c335477932d1d02c06ff2885e31cd Mon Sep 17 00:00:00 2001
From: Toby Padilla <toby@charm.sh>
Date: Mon, 4 Oct 2021 12:18:46 -0500
Subject: [PATCH] Don't allow cloning of `config` repo if anon isn't set to
 read-write

---
 config/auth.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/config/auth.go b/config/auth.go
index 1a772e27c27384e692d40d6be48cd147f9e62c09..879f694dda189fc7ebbae0a9490cc296b4842698 100644
--- a/config/auth.go
+++ b/config/auth.go
@@ -38,9 +38,14 @@ func (cfg *Config) accessForKey(repo string, pk ssh.PublicKey) gm.AccessLevel {
 					return gm.ReadWriteAccess
 				}
 			}
-			return gm.ReadOnlyAccess
+			if repo != "config" {
+				return gm.ReadOnlyAccess
+			}
 		}
 	}
+	if repo == "config" && (cfg.AnonAccess != "read-write") {
+		return gm.NoAccess
+	}
 	switch cfg.AnonAccess {
 	case "no-access":
 		return gm.NoAccess