On 07/05/2023 17:37, toras wrote:
Commit abc29122c7f2 has been addressed to allow repository group owner
changes.
I think the owner change itself is working.
However, for non-admin users, the permission evaluation in the
repository group seems to be incorrect.
For example, if you try to create a repository in that repository
group as a changed owner user, you will get the error 'no permission
to create repo in xxxxxxxx'.
After a little research, it seemed to me that the
repository_group_permissions() in auth.py, which is used beyond the
HasRepoGroupPermissionLevel() call, needs to be evaluated for being
the owner of the repository group.
Could you please confirm this?
I think you are right.
Before, group ownership couldn't be used for anything, and everybody had
to use explicit permissions on the group instead. On group creation, the
owner is thus given explicit admin permissions unless it is a global
admin. (That create problems if global admin permissions is removed from
the user, and the user thus loses permissions for the groups they own.)
Recently, we made group ownership more manageable, but that also exposes
that we have to make the implementation more complete. The new owner has
to be given admin permissions somehow.
I think repository_group_permissions has to give admin permissions for
the group owner, similar to how repository_permissions gives admin
permissions to the repo owner. That shouldn't make the computation more
complex or expensive, so that should be fine.
I propose
https://kallithea-scm.org/repos/kallithea-incoming/changeset/dee1b60bad29621882eb769eb5bc8707647ccf1d
.
Also, we should stop giving explicit admin permissions on group
creation. But that is a change with no immediate benefit, so that should
probably happen on the stable branch.
I propose
https://kallithea-scm.org/repos/kallithea-incoming/changeset/bf7369172810fb1a9452af767a2168edba3dc2f3
Please, can you test these changes and verify they solve the problem for
you?
Do you see other problems related to these changes? Any other places
where the code makes incorrect assumptions on repo groups and owner /
permissions?
Additionally, I have a question regarding the permission evaluation
for repository groups, separate from the issue mentioned above.
Currently, regular users cannot create repositories within a
repository group unless they have administrative privileges for the
group.
I feel that requiring administrative privileges is a bit excessive.
What are your thoughts on this matter?
If you edit a repository group, the permissions tab will describe it as
"Write" as "(Add repos)". Admin access should not be necessary. Please
verify that you really see the behaviour you describe.
(For some reason, repo group creation is more constrained in than repo
creation... but that's yet another story.)
/Mads
_______________________________________________
kallithea-general mailing list
kallithea-general@sfconservancy.org
https://lists.sfconservancy.org/mailman/listinfo/kallithea-general
