Add launch-only property for project users #413
Conversation
|
surely an admin should always be able to do everything? (this is the definition of an admin I would say). Perhaps this could be the basis of a general discussion about more granular user permissions |
|
I am thinking of using Semaphore in a project. But, the restriction is that I will be deploying Semaphore in a different team's infra(with help from their admin/devops). They won't be happy if I have the ability to run/edit/update everything. But with this feature, I can have limited access and push only the changes I am authorized to do. Their admins will be happy with the control, and I will have only as much access as i need(run tasks/playbooks). |
|
I totally hear your use case here, and i agree that it would be good to have, the question is if we put just this in now (as it touches a lot of files) or we try to look at a more fully featured and granular permissions system that will allow us to go deeper with permissions in future. |
|
We need to invest in the more clear solution. This was a kind of dirty hack because I had no time for the proper solution. But currently, the project had active maintainers and we can do it much better. I think this is the good milestone for 2.6 or 2.7. |
|
I'm going to close this PR then and we can use #344 as the issue to deal with this in a more fully featured way |
Fix for #344
The solution may be not ideal - I just added separate
launch_onlyproperty, so the user may have project admin rights and not be able to edit task templates. :)On the other hand, this is may be useful to prevent accidental editing/deletion of templates (project admin can add/remove launch_only property for himself).
Also (please, move it to separate issue, if needed) we need to rewrite
system userorproject usercode. Currently, they contain a similar logic (admin and ordinary user UI, various rights checks), but a very different implementation.