Re: About permission evaluation for repository group owner.
Hi > Right - nice catch. I don't think there are any valid use cases for this code now. And there is also similar code in the web > templates. > > Please consider https://kallithea-scm.org/repos/kallithea-incoming/changeset/ab8e9f05241a . Thanks for the correction code. I have applied this change and verified that the permissions can be set successfully. >> (repository group permission) >> ... > It could perhaps be changed, but that would be a different discussion, and not suitable for the stable branch. Agreed. There may be room for improvement, but I don't think it is something to be done hastily. Thanks -- toras9000 ___ kallithea-general mailing list kallithea-general@sfconservancy.org https://lists.sfconservancy.org/mailman/listinfo/kallithea-general
Re: About permission evaluation for repository group owner.
On 09/05/2023 16:04, toras wrote: > I propose https://kallithea-scm.org/repos/kallithea-incoming/changeset/dee1b60bad29621882eb769eb5bc8707647ccf1d . As far as I have tried, I believe this change fixes the new owner to operate correctly. (Both from the web and from the API.) Thanks for verifying. > I propose https://kallithea-scm.org/repos/kallithea-incoming/changeset/bf7369172810fb1a9452af767a2168edba3dc2f3 I believe that this change is also necessary to properly remove permissions from the previous owner. Ok, then let's take this to the stable branch too. > Do you see other problems related to these changes? Any other places where the code makes incorrect assumptions on repo groups > and owner / permissions? Related to the second issue, there seems to be a problem that "the owner (non-super user) of a group cannot set permissions for himself/herself". In the permission settings screen, the owner cannot set the following write permissions for himself/herself. Any attempt to do so fails with the message 'Cannot revoke permission for yourself as admin'. I think this is part of the behavior that remains from when we were handling explicitly granting administrative privileges to groups. However, some groups can be modified, and there may be conditions under which the above failure occurs. This may be the case for groups created by ordinary users themselves. Right - nice catch. I don't think there are any valid use cases for this code now. And there is also similar code in the web templates. Please consider https://kallithea-scm.org/repos/kallithea-incoming/changeset/ab8e9f05241a . > (For some reason, repo group creation is more constrained in than repo creation... but that's yet another story.) ... Sometimes I wonder why, because I want to create a group with the following structure, but cannot do so with only write permission. personals <- Create by admin. + userA_group <- Create by userA. + userB_group <- Create by userB. Yeah, if I remember correctly, it shows up in several places that repo group creation is considered more restricted than repos. For example, if I remember correctly, there is no way to allow ordinary users to create top level repo groups. There could perhaps be some philosophical idea that deep nesting is bad, and that only admins should be allowed to add more complexity. Or perhaps it is just that repo groups were added as a half-baked afterthought. It could perhaps be changed, but that would be a different discussion, and not suitable for the stable branch. /Mads ___ kallithea-general mailing list kallithea-general@sfconservancy.org https://lists.sfconservancy.org/mailman/listinfo/kallithea-general
Re: About permission evaluation for repository group owner.
Hi. Thank you for confirming. > I propose https://kallithea-scm.org/repos/kallithea-incoming/changeset/dee1b60bad29621882eb769eb5bc8707647ccf1d . As far as I have tried, I believe this change fixes the new owner to operate correctly. (Both from the web and from the API.) > I propose https://kallithea-scm.org/repos/kallithea-incoming/changeset/bf7369172810fb1a9452af767a2168edba3dc2f3 I believe that this change is also necessary to properly remove permissions from the previous owner. > Do you see other problems related to these changes? Any other places where the code makes incorrect assumptions on repo groups > and owner / permissions? Related to the second issue, there seems to be a problem that "the owner (non-super user) of a group cannot set permissions for himself/herself". In the permission settings screen, the owner cannot set the following write permissions for himself/herself. Any attempt to do so fails with the message 'Cannot revoke permission for yourself as admin'. I think this is part of the behavior that remains from when we were handling explicitly granting administrative privileges to groups. However, some groups can be modified, and there may be conditions under which the above failure occurs. This may be the case for groups created by ordinary users themselves. > If you edit a repository group, the permissions tab will describe it as "Write" as "(Add repos)". Admin access should not be > necessary. Please verify that you really see the behaviour you describe. > (For some reason, repo group creation is more constrained in than repo creation... but that's yet another story.) My apologies. I meant to write "repository groups" instead of "repository" but I was wrong. Sometimes I wonder why, because I want to create a group with the following structure, but cannot do so with only write permission. personals <- Create by admin. + userA_group <- Create by userA. + userB_group <- Create by userB. Thanks -- toras9000 ___ kallithea-general mailing list kallithea-general@sfconservancy.org https://lists.sfconservancy.org/mailman/listinfo/kallithea-general
Re: About permission evaluation for repository group owner.
On 07/05/2023 17:37, toras wrote: Commit abc29122c7f2 has been addressed to allow repository group owner changes. I think the owner change itself is working. However, for non-admin users, the permission evaluation in the repository group seems to be incorrect. For example, if you try to create a repository in that repository group as a changed owner user, you will get the error 'no permission to create repo in '. After a little research, it seemed to me that the repository_group_permissions() in auth.py, which is used beyond the HasRepoGroupPermissionLevel() call, needs to be evaluated for being the owner of the repository group. Could you please confirm this? I think you are right. Before, group ownership couldn't be used for anything, and everybody had to use explicit permissions on the group instead. On group creation, the owner is thus given explicit admin permissions unless it is a global admin. (That create problems if global admin permissions is removed from the user, and the user thus loses permissions for the groups they own.) Recently, we made group ownership more manageable, but that also exposes that we have to make the implementation more complete. The new owner has to be given admin permissions somehow. I think repository_group_permissions has to give admin permissions for the group owner, similar to how repository_permissions gives admin permissions to the repo owner. That shouldn't make the computation more complex or expensive, so that should be fine. I propose https://kallithea-scm.org/repos/kallithea-incoming/changeset/dee1b60bad29621882eb769eb5bc8707647ccf1d . Also, we should stop giving explicit admin permissions on group creation. But that is a change with no immediate benefit, so that should probably happen on the stable branch. I propose https://kallithea-scm.org/repos/kallithea-incoming/changeset/bf7369172810fb1a9452af767a2168edba3dc2f3 Please, can you test these changes and verify they solve the problem for you? Do you see other problems related to these changes? Any other places where the code makes incorrect assumptions on repo groups and owner / permissions? Additionally, I have a question regarding the permission evaluation for repository groups, separate from the issue mentioned above. Currently, regular users cannot create repositories within a repository group unless they have administrative privileges for the group. I feel that requiring administrative privileges is a bit excessive. What are your thoughts on this matter? If you edit a repository group, the permissions tab will describe it as "Write" as "(Add repos)". Admin access should not be necessary. Please verify that you really see the behaviour you describe. (For some reason, repo group creation is more constrained in than repo creation... but that's yet another story.) /Mads ___ kallithea-general mailing list kallithea-general@sfconservancy.org https://lists.sfconservancy.org/mailman/listinfo/kallithea-general
