Running RhodeCode in a secure environment where I need to deny access to some repositories for some groups of people in the company, but grant access to everyone else (default).
A typical permissions settings on a repository would like look this: admin - user itservices admin - user owner write - user lead engineer read - default (everyone else) none - group third_party_users (Deny access or visibility)
I am not a python developer, so all I could guess at by looking at the code is, the permissions are checked against users only and if the user is not named, the default is used. This makes sense, but what about the users_groups permissions.
In another language (like I said, I am not a python programmer) I wrote some code to resolve this issue in my ssh push/pull access hook that does the following:
- Get all user_groups from the users_group_to_perm table for the repository in question.
- get all of the members of the users_group
- built a list of users and the group permissions from the users_group
- over-wrote any user from other groups only if the permission was more giving. (None in the first group could be replaced with read from the second group)
- loaded all of the user_to_perm for the repository in question, overwriting any group answers. The named user overrides any group membership in the permissions model
- now see if the request access level (read, write, admin) can be met looking into the list of users. Only after the requesting user name/id is not found, is "default" used.
A side affect of setting default to none, the repository would act as if it was private. But the default permission should be usable as a user name wild card, but only after looking in all of the groups. I need a way to deny access to a changing group of users.
We are also using LDAP user accounts and LDAP (imported) users_groups. I have an external script to keep the RhodeCode user_group membership in sync with the LDAP group member of attribute.
If you would like to see the "other code", just ask. It is written in PHP (Sorry).