About permission evaluation for repository group owner.
Mads Kiilerich
mads at kiilerich.com
Sun May 7 16:52:16 UTC 2023
On 07/05/2023 17:37, toras wrote:
> Commit abc29122c7f2 has been addressed to allow repository group owner
> changes.
> I think the owner change itself is working.
> However, for non-admin users, the permission evaluation in the
> repository group seems to be incorrect.
>
> For example, if you try to create a repository in that repository
> group as a changed owner user, you will get the error 'no permission
> to create repo in xxxxxxxx'.
> After a little research, it seemed to me that the
> repository_group_permissions() in auth.py, which is used beyond the
> HasRepoGroupPermissionLevel() call, needs to be evaluated for being
> the owner of the repository group.
> Could you please confirm this?
I think you are right.
Before, group ownership couldn't be used for anything, and everybody had
to use explicit permissions on the group instead. On group creation, the
owner is thus given explicit admin permissions unless it is a global
admin. (That create problems if global admin permissions is removed from
the user, and the user thus loses permissions for the groups they own.)
Recently, we made group ownership more manageable, but that also exposes
that we have to make the implementation more complete. The new owner has
to be given admin permissions somehow.
I think repository_group_permissions has to give admin permissions for
the group owner, similar to how repository_permissions gives admin
permissions to the repo owner. That shouldn't make the computation more
complex or expensive, so that should be fine.
I propose
https://kallithea-scm.org/repos/kallithea-incoming/changeset/dee1b60bad29621882eb769eb5bc8707647ccf1d
.
Also, we should stop giving explicit admin permissions on group
creation. But that is a change with no immediate benefit, so that should
probably happen on the stable branch.
I propose
https://kallithea-scm.org/repos/kallithea-incoming/changeset/bf7369172810fb1a9452af767a2168edba3dc2f3
Please, can you test these changes and verify they solve the problem for
you?
Do you see other problems related to these changes? Any other places
where the code makes incorrect assumptions on repo groups and owner /
permissions?
> Additionally, I have a question regarding the permission evaluation
> for repository groups, separate from the issue mentioned above.
> Currently, regular users cannot create repositories within a
> repository group unless they have administrative privileges for the
> group.
> I feel that requiring administrative privileges is a bit excessive.
> What are your thoughts on this matter?
If you edit a repository group, the permissions tab will describe it as
"Write" as "(Add repos)". Admin access should not be necessary. Please
verify that you really see the behaviour you describe.
(For some reason, repo group creation is more constrained in than repo
creation... but that's yet another story.)
/Mads
More information about the kallithea-general
mailing list