-
Notifications
You must be signed in to change notification settings - Fork 471
introduce more optional user restrictions #1003
Conversation
@@ -48,6 +48,14 @@ | |||
APP_CONFIG["registry"] = { | |||
"jwt_expiration_time" => { "value" => 5 }, | |||
"catalog_page" => { "value" => 100 } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missing comma. That's the compiler error you're getting 😉
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, it should be a missing curly brace 😉
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, sure. I was reading it as if it was all in the same hash 😁
Moreover, you have to add options for portusctl. Bear in mind that they don't necessarily have to be named like Other than that, everything looks good to me 👍 |
Oh right, totally forgot about those additions. Thanks! |
Done. Now, that I'm thinking about it, we should also hide the create/edit buttons from users if needed. Otherwise, these would only lead to confusion. |
This should be it. |
(namespace.global? && user.admin?) || \ | ||
(!namespace.global? && (user.admin? || namespace.team.owners.exists?(user.id))) | ||
user.admin? || (APP_CONFIG.enabled?("user_permission.change_visibility") && | ||
!namespace.global? && namespace.team.owners.exists?(user.id)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The message "must be logged in" as at least misleading (to be correct: it is wrong) in the case of prohibition by APP_CONFIG. Actually the user is logged in but he is not allowed to do the change.
This applies to other code changes in this commit as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The message "must be logged in" is only shown if a user is not logged in. In case of prohibition by APP_CONFIG, the user should just get a 401. The Ruby code might look a bit confusing at first.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, now I see. The raise statement ends with "unless user". Sorry for confusion and thanks for explaination.
In #676 there was a consence about
From looking at the code I do not see, that this is accomplished with this commit (of course, I'm not much of a ruby expert) |
The options |
Thanks, I wasn't sure that creation is deemed a modifaction ;-) We will test this (together with some other fixes) after it gets merged and an images is published on dockerhub. |
Good point. Perhaps we should rename them to something like |
@monstermunchkin maybe renaming it to |
def update? | ||
!@team.hidden? && owner? | ||
(APP_CONFIG.enabled?("user_permission.modify_team") || user.admin?) && !@team.hidden? && owner? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
create? && !@team.hidden? && owner?
Options regarding user permissions can be found under the `user_permission` node in the config file. The three options are: * **change_visibility** permits the user to change the visibility of namespaces he/she owns * **modify_team** permits the user to change team attributes, e.g. name or description, given that he/she is an owners * **modify_namespace** permits the user to change namespace attributes, e.g. name, team, or description, given that he/she is an owners Note that the previous user restriction regarding namespace visibility only applied to a user's personal namespace. This has been extended to all namespaces the user owns. Resolves #676 Signed-off-by: Thomas Hipp <thipp@suse.de>
The options have been renamed to |
Thanks 👏 |
Options regarding user permissions can be found under the
user_permission
node in the config file.The three options are:
permits the user to change the visibility of namespaces he/she owns
permits the user to change team attributes, e.g. name or description,
given that he/she is an owners
permits the user to change namespace attributes, e.g. name, team, or
description, given that he/she is an owners
Note that the previous user restriction regarding namespace visibility
only applied to a user's personal namespace. This has been extended to
all namespaces the user owns.
Resolves #676
Signed-off-by: Thomas Hipp thipp@suse.de