Skip to content

[Design + API] Owner-level HEAD access control for cross-owner linked sources #2554

Open
Open
[Design + API] Owner-level HEAD access control for cross-owner linked sources#2554
Labels
component/apiCore terminology service APIsignal/high-riskSignificant potential impact if incorrectsignal/large-scopeAffects multiple areas or systemsstage/triagedAI triage complete — scored and classifiedtype/featureNew or improved functionality
Milestone
Linked Sources
@jamlung-ri

Description

@jamlung-ri
jamlung-ri
opened on Jun 1, 2026

Overview

For a collection to HEAD-link to a source it does not own, the source's owner must explicitly grant HEAD access to the collection's owner. OCL currently has no mechanism for owner-to-owner authorization. This ticket covers the design and implementation of that access control layer.

All same-owner linked source tickets (#2546#2553) can ship without this. This ticket unblocks cross-owner use cases only (e.g., MSF Belgium collection HEAD-linking to the MSF source).

Background

Jonathan Payne (2026-05-29): "We don't really have a precedent for that type of access control." Today, HEAD is accessible to anyone with repo access (versionless references point to latest, but HEAD is still reachable). Future permissions work must change this. The key constraint: authorization must be owner-based, not user-based — the collection's owner (org or user) is authorized, not an individual user, so resolution is consistent regardless of who triggers it.

Cross-owner use case (MSF example)

MSF Belgium has a collection that HEAD-links to the MSF source. MSF (the source owner) grants HEAD access to the MSF Belgium owner. MSF Belgium's collections can now resolve to MSF source HEAD during authoring. However: MSF Belgium will always depend on MSF to cut a source release before MSF Belgium can publish a collection version. This implied dependency should be communicated clearly in the UI.

Tasks

  • Design: define the data model for owner-to-owner HEAD authorization (e.g., new SourceHeadAccess model on Source, or a JSON list of authorized owner URLs on the Source)
  • API: source-level endpoint to add/remove authorized external owners for HEAD access (source owner only)
  • API: permission check when configuring a HEAD-link — if collection owner ≠ source owner, verify the collection's owner is in the source's authorized list
  • API: permission check during resolution — when resolving to source HEAD, enforce that the requesting collection's owner is authorized
  • UI: source settings page gains a "HEAD access" section for managing authorized external owners
  • UI: collection linked-source picker surfaces only sources that the collection's owner is authorized to HEAD-link (same owner + explicitly authorized cross-owner sources)
  • Validate that this approach does not conflict with the broader OCL permissions roadmap

Key code areas

  • core/common/permissions.pyHasPrivateAccess, HasOwnership, CanEditConceptDictionary — extend or add owner-level permission type
  • core/collections/models.py:43 — Collection model
  • src/components/repos/RepoCreate.jsx — source settings form

Dependencies

  • All same-owner linked source tickets are independent of this
  • This must ship before cross-owner HEAD-link is enabled

Related

Metadata

Metadata

Assignees

No one assigned

    Labels

    component/apiCore terminology service APIsignal/high-riskSignificant potential impact if incorrectsignal/large-scopeAffects multiple areas or systemsstage/triagedAI triage complete — scored and classifiedtype/featureNew or improved functionality

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions