New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add ability to remove users from groups #151
Comments
This opens a pretty big can of worms since pretty clearly we don't want to have a case where you add someone and they turn around and remove you. There are two ways we could go here.
|
👍 |
I started working on this using the approach 1) on https://github.com/mynomoto/clojars-web/tree/delete-users-from-groups |
I think I would prefer to go with technomancy's admin/member option, as this is typically how most web apps manage these kinds of permissions, and matches to my mental model of how maintainers would want to manage permissions. |
Ok, I will change it. I have a couple of questions:
|
Probably safest to make all current members admins, as if we only chose the first pusher, they may be people who are no longer involved in the Clojure community and it may be hard to reach them if maintainers want to add new people.
Not too sure. Probably better to keep it additive, by making their admin privileges inactive from a flag. If they are re-added (reactivated) a second time, then the activating user would be the new |
I agree but then we will need to communicate that clearly when this goes live. It's a big change and someone could remove other members from groups.
I'm not sure if I follow. Would delete remove the user from the group or only remove admin privileges? Also changing the added_by_user may cause discontinuous graphs of who added who, not sure if continuous graphs are important though. |
Yeah, perhaps we start off with only the first pusher as admin, give them a month to audit/set permissions, then set everyone else as admins? Not too sure really...
It would remove any privileges, but keep the deleted record for auditing ability.
Don't think this would be a problem? |
So there are scenarios where that could present a problem considering rogue users. If someone remove everyone else from a group, re-adds them and remove them again you would need some place other than the current db to check who had permissions at the beginning, assuming that you would consider a request of the former owner in this situation. As this code is in the open, malicious users could use this info. That's part of the reason why I had picked the option 1) first. Less worms on that can 😉 Let me know if I should move forward with 0) and what to do when someone is re-added. |
I prefer option 0 as well, and think you should move forward with it if you are still willing. With regards to the issues above:
How do those solutions sound? Any issues you can see? |
Those sound fine, thanks. I hope to find time to do this soon. |
Started a new branch with this approach: https://github.com/mynomoto/clojars-web/tree/remove-users-from-groups |
Great! Feel free to PR when you are ready for feedback. |
Presently you can add a user to a group, but there is no way to delete them.
The text was updated successfully, but these errors were encountered: