introduce more optional user restrictions #1003
Conversation
| @@ -48,6 +48,14 @@ | |||
| APP_CONFIG["registry"] = { | |||
| "jwt_expiration_time" => { "value" => 5 }, | |||
| "catalog_page" => { "value" => 100 } | |||
There was a problem hiding this comment.
Missing comma. That's the compiler error you're getting 😉
There was a problem hiding this comment.
Actually, it should be a missing curly brace 😉
There was a problem hiding this comment.
Ah, sure. I was reading it as if it was all in the same hash 😁
|
Moreover, you have to add options for portusctl. Bear in mind that they don't necessarily have to be named like Other than that, everything looks good to me 👍 |
|
Oh right, totally forgot about those additions. Thanks! |
|
Done. Now, that I'm thinking about it, we should also hide the create/edit buttons from users if needed. Otherwise, these would only lead to confusion. |
monstermunchkin
changed the title
|
This should be it. |
monstermunchkin
changed the title
| (namespace.global? && user.admin?) || \ | ||
| (!namespace.global? && (user.admin? || namespace.team.owners.exists?(user.id))) | ||
| user.admin? || (APP_CONFIG.enabled?("user_permission.change_visibility") && | ||
| !namespace.global? && namespace.team.owners.exists?(user.id)) |
There was a problem hiding this comment.
The message "must be logged in" as at least misleading (to be correct: it is wrong) in the case of prohibition by APP_CONFIG. Actually the user is logged in but he is not allowed to do the change.
This applies to other code changes in this commit as well.
There was a problem hiding this comment.
The message "must be logged in" is only shown if a user is not logged in. In case of prohibition by APP_CONFIG, the user should just get a 401. The Ruby code might look a bit confusing at first.
There was a problem hiding this comment.
Ah, now I see. The raise statement ends with "unless user". Sorry for confusion and thanks for explaination.
|
In #676 there was a consence about
From looking at the code I do not see, that this is accomplished with this commit (of course, I'm not much of a ruby expert) |
|
The options |
Thanks, I wasn't sure that creation is deemed a modifaction ;-) We will test this (together with some other fixes) after it gets merged and an images is published on dockerhub. |
Good point. Perhaps we should rename them to something like |
|
@monstermunchkin maybe renaming it to |
| def update? | ||
| !@team.hidden? && owner? | ||
| (APP_CONFIG.enabled?("user_permission.modify_team") || user.admin?) && !@team.hidden? && owner? |
There was a problem hiding this comment.
create? && !@team.hidden? && owner?Options regarding user permissions can be found under the `user_permission` node in the config file. The three options are: * **change_visibility** permits the user to change the visibility of namespaces he/she owns * **modify_team** permits the user to change team attributes, e.g. name or description, given that he/she is an owners * **modify_namespace** permits the user to change namespace attributes, e.g. name, team, or description, given that he/she is an owners Note that the previous user restriction regarding namespace visibility only applied to a user's personal namespace. This has been extended to all namespaces the user owns. Resolves #676 Signed-off-by: Thomas Hipp <thipp@suse.de>
|
The options have been renamed to |
|
Thanks 👏 |
Options regarding user permissions can be found under the
user_permissionnode in the config file.The three options are:
permits the user to change the visibility of namespaces he/she owns
permits the user to change team attributes, e.g. name or description,
given that he/she is an owners
permits the user to change namespace attributes, e.g. name, team, or
description, given that he/she is an owners
Note that the previous user restriction regarding namespace visibility
only applied to a user's personal namespace. This has been extended to
all namespaces the user owns.
Resolves #676
Signed-off-by: Thomas Hipp thipp@suse.de