2.14 release notes: Add warning about changed BLOCK rule evaluation
Change Ia9b57b995 changed the way how BLOCK rules are evaluated. This
should be highlighted in the release notes.
Signed-off-by: Edwin Kempin <firstname.lastname@example.org>
diff --git a/releases/2.14.md b/releases/2.14.md
index 2a026d0..cfb63c7 100644
@@ -53,6 +53,28 @@
Existing passwords will be migrated to a hashed password during site initialization
when upgrading from an earlier version of Gerrit.
+### Evaluation of BLOCK permission rules has changed
+An exclusive ALLOW permission now has priority over a BLOCK permission when
+both permissions are defined on the same project.
+This means an exclusive ALLOW rule now overrules BLOCK rules on the same
+BLOCK rules still cannot be overruled by child projects.
+This change makes it possible to allow a permission for a specific ref and to
+block the same permission for all other refs. For example, it is now possible to
+allow all users to push changes for review, but to block all direct pushes:
+ [access "refs/*"]
+ push = block group Anonymous Users
+ [access "refs/for/*"]
+ exclusiveGroupPermissions = push
+ push = group Registered Users
### Deprecation of Velocity Email Templates
This release deprecates the use of Velocity mail templates. In a future release