From a99450294060042ff432fddc1d4512cc8397f24e Mon Sep 17 00:00:00 2001
From: Tomas Kopecek <tkopecek@redhat.com>
Date: May 25 2020 11:29:58 +0000
Subject: hub: default policy allow packagelist changes with 'tag' permission


Fixes: https://pagure.io/koji/issue/2011

---

diff --git a/docs/source/defining_hub_policies.rst b/docs/source/defining_hub_policies.rst
index b419552..9b452bb 100644
--- a/docs/source/defining_hub_policies.rst
+++ b/docs/source/defining_hub_policies.rst
@@ -19,8 +19,11 @@ Policy configuration is optional. If you don't define one, then by default:
 * tag/untag/move operations are governed by tag locks/permissions
 * builds from srpm are only allowed for admins
 * builds from expired repos are only allowed for admins
-* only admins may modify package lists
+* only admins and users with ``tag`` permission may modify package lists
 * tasks go to the default channel
+* vm tasks need ``admin`` or ``win-admin`` permission
+* content generator import can be done by anyone
+* all content ends in ``DEFAULT`` volume.
 
 Configuration
 =============
diff --git a/hub/kojixmlrpc.py b/hub/kojixmlrpc.py
index d1aa728..6b3f6a0 100644
--- a/hub/kojixmlrpc.py
+++ b/hub/kojixmlrpc.py
@@ -530,6 +530,7 @@ _default_policies = {
             ''',
     'package_list': '''
             has_perm admin :: allow
+            has_perm tag :: allow
             all :: deny
             ''',
     'channel': '''