Re: About permission evaluation for repository group owner.

Tue, 09 May 2023 10:11:24 -0700 

On 09/05/2023 16:04, toras wrote:
> I propose https://kallithea-scm.org/repos/kallithea-incoming/changeset/dee1b60bad29621882eb769eb5bc8707647ccf1d . 


As far as I have tried, I believe this change fixes the new owner to 
operate correctly. (Both from the web and from the API.)



Thanks for verifying.



> I propose 
https://kallithea-scm.org/repos/kallithea-incoming/changeset/bf7369172810fb1a9452af767a2168edba3dc2f3



I believe that this change is also necessary to properly remove 
permissions from the previous owner.



Ok, then let's take this to the stable branch too.



> Do you see other problems related to these changes? Any other places 
where the code makes incorrect assumptions on repo groups

> and owner / permissions?


Related to the second issue, there seems to be a problem that "the 
owner (non-super user) of a group cannot set permissions for 
himself/herself".
In the permission settings screen, the owner cannot set the following 
write permissions for himself/herself.
Any attempt to do so fails with the message 'Cannot revoke permission 
for yourself as admin'.
I think this is part of the behavior that remains from when we were 
handling explicitly granting administrative privileges to groups.



However, some groups can be modified, and there may be conditions 
under which the above failure occurs.

This may be the case for groups created by ordinary users themselves.




Right - nice catch. I don't think there are any valid use cases for this 
code now. And there is also similar code in the web templates.



Please consider 
https://kallithea-scm.org/repos/kallithea-incoming/changeset/ab8e9f05241a .




> (For some reason, repo group creation is more constrained in than 
repo creation... but that's yet another story.)

...

Sometimes I wonder why, because I want to create a group with the 
following structure, but cannot do so with only write permission.


personals         <- Create by admin.
  + userA_group   <- Create by userA.
  + userB_group   <- Create by userB.




Yeah, if I remember correctly, it shows up in several places that repo 
group creation is considered more restricted than repos. For example, if 
I remember correctly, there is no way to allow ordinary users to create 
top level repo groups.



There could perhaps be some philosophical idea that deep nesting is bad, 
and that only admins should be allowed to add more complexity.



Or perhaps it is just that repo groups were added as a half-baked 
afterthought.



It could perhaps be changed, but that would be a different discussion, 
and not suitable for the stable branch.



/Mads

_______________________________________________
kallithea-general mailing list
kallithea-general@sfconservancy.org
https://lists.sfconservancy.org/mailman/listinfo/kallithea-general






















					Reply via email to