Document permissions needed by the plugin
Bug: Issue 14342
Change-Id: I4ee7e363d1ea67951c6c0ed67908ef621e7be0da
diff --git a/src/main/resources/Documentation/about.md b/src/main/resources/Documentation/about.md
index 4d2d541..3ddbe8c 100644
--- a/src/main/resources/Documentation/about.md
+++ b/src/main/resources/Documentation/about.md
@@ -22,3 +22,18 @@
be created as tags, containing information about the original ref that
was changed, as well as the user that performed the change. This can
be enabled by setting `plugin.ref-protection.createTag true`.
+
+Since the `refs/backups/*` branch is created in the same User scope as the
+delete, `Create Reference` and `Push` permission need to be granted to any user
+that is allowed to delete or force-push a ref or backups will fail.
+This is most conveniently achieved by granting the permission to `Registered
+Users` (all logged in users).
+
+Furthermore, to avoid the backup refs to be exposed to the users, a block on the
+`Read` permission on `refs/backups/*` is necessary.
+This will avoid a possible security issue in the following case:
+* user A has exclusive access to `refs/super-secret-branch`
+* user A create a change in `refs/super-secret-branch`
+* user A deletes `refs/super-secret-branch`
+* `ref-protection` creates a backup in `refs/backups`
+* user B can access `super-secret-branch` backup
