About permission evaluation for repository group owner.

Sun May 7 16:52:16 UTC 2023

On 07/05/2023 17:37, toras wrote:
> Commit abc29122c7f2 has been addressed to allow repository group owner 
> changes.
> I think the owner change itself is working.
> However, for non-admin users, the permission evaluation in the 
> repository group seems to be incorrect.
>
> For example, if you try to create a repository in that repository 
> group as a changed owner user, you will get the error 'no permission 
> to create repo in xxxxxxxx'.
> After a little research, it seemed to me that the 
> repository_group_permissions() in auth.py, which is used beyond the 
> HasRepoGroupPermissionLevel() call, needs to be evaluated for being 
> the owner of the repository group.
> Could you please confirm this?

I think you are right.

Before, group ownership couldn't be used for anything, and everybody had 
to use explicit permissions on the group instead. On group creation, the 
owner is thus given explicit admin permissions unless it is a global 
admin. (That create problems if global admin permissions is removed from 
the user, and the user thus loses permissions for the groups they own.)

Recently, we made group ownership more manageable, but that also exposes 
that we have to make the implementation more complete. The new owner has 
to be given admin permissions somehow.

I think repository_group_permissions has to give admin permissions for 
the group owner, similar to how repository_permissions gives admin 
permissions to the repo owner. That shouldn't make the computation more 
complex or expensive, so that should be fine.

I propose 
https://kallithea-scm.org/repos/kallithea-incoming/changeset/dee1b60bad29621882eb769eb5bc8707647ccf1d 
.

Also, we should stop giving explicit admin permissions on group 
creation. But that is a change with no immediate benefit, so that should 
probably happen on the stable branch.

I propose 
https://kallithea-scm.org/repos/kallithea-incoming/changeset/bf7369172810fb1a9452af767a2168edba3dc2f3

Please, can you test these changes and verify they solve the problem for 
you?

Do you see other problems related to these changes? Any other places 
where the code makes incorrect assumptions on repo groups and owner / 
permissions?

> Additionally, I have a question regarding the permission evaluation 
> for repository groups, separate from the issue mentioned above.
> Currently, regular users cannot create repositories within a 
> repository group unless they have administrative privileges for the 
> group.
> I feel that requiring administrative privileges is a bit excessive.
> What are your thoughts on this matter?

If you edit a repository group, the permissions tab will describe it as 
"Write" as "(Add repos)". Admin access should not be necessary. Please 
verify that you really see the behaviour you describe.

(For some reason, repo group creation is more constrained in than repo 
creation... but that's yet another story.)

/Mads