"Sun Chao via GitGitGadget" <gitgitgadget@xxxxxxxxx> writes: > Gerrit is implemented by JGit and is known as a centralized workflow system > which supports reference-level access control for repository. If we choose > to work in centralized workflow like what Gerrit provided, reference-level > access control is needed and is possible if we add a reference advertise > filter hook just like what Gerrit did. It may be one starting point, but is it sufficient to call it "possible"? The server side needs to tighten "fetch by object name" to refuse to serve objects that are not reachable from any of the refs advertised to the client requesting them. IIRC, fetch protocol v2 is wide open and does not limit the requests to those that are only reachable from the advertised refs.
