About permission evaluation for repository group owner.

Mads Kiilerich mads at kiilerich.com
Tue May 9 17:11:10 UTC 2023


On 09/05/2023 16:04, toras wrote:
> > I propose 
> https://kallithea-scm.org/repos/kallithea-incoming/changeset/dee1b60bad29621882eb769eb5bc8707647ccf1d 
> .
>
> As far as I have tried, I believe this change fixes the new owner to 
> operate correctly. (Both from the web and from the API.)


Thanks for verifying.


> > I propose 
> https://kallithea-scm.org/repos/kallithea-incoming/changeset/bf7369172810fb1a9452af767a2168edba3dc2f3
>
> I believe that this change is also necessary to properly remove 
> permissions from the previous owner.


Ok, then let's take this to the stable branch too.


> > Do you see other problems related to these changes? Any other places 
> where the code makes incorrect assumptions on repo groups
> > and owner / permissions?
>
> Related to the second issue, there seems to be a problem that "the 
> owner (non-super user) of a group cannot set permissions for 
> himself/herself".
> In the permission settings screen, the owner cannot set the following 
> write permissions for himself/herself.
> Any attempt to do so fails with the message 'Cannot revoke permission 
> for yourself as admin'.
> I think this is part of the behavior that remains from when we were 
> handling explicitly granting administrative privileges to groups.
>
> However, some groups can be modified, and there may be conditions 
> under which the above failure occurs.
> This may be the case for groups created by ordinary users themselves.


Right - nice catch. I don't think there are any valid use cases for this 
code now. And there is also similar code in the web templates.

Please consider 
https://kallithea-scm.org/repos/kallithea-incoming/changeset/ab8e9f05241a .


> > (For some reason, repo group creation is more constrained in than 
> repo creation... but that's yet another story.)
...
> Sometimes I wonder why, because I want to create a group with the 
> following structure, but cannot do so with only write permission.
>
> personals         <- Create by admin.
>   + userA_group   <- Create by userA.
>   + userB_group   <- Create by userB.


Yeah, if I remember correctly, it shows up in several places that repo 
group creation is considered more restricted than repos. For example, if 
I remember correctly, there is no way to allow ordinary users to create 
top level repo groups.

There could perhaps be some philosophical idea that deep nesting is bad, 
and that only admins should be allowed to add more complexity.

Or perhaps it is just that repo groups were added as a half-baked 
afterthought.

It could perhaps be changed, but that would be a different discussion, 
and not suitable for the stable branch.


/Mads



More information about the kallithea-general mailing list