When a user is both in read and write group, the permission taken in account is the last saved permission

Issue #644 resolved
Arnaud GUT
created an issue

Hi Marcin,
Situation: we have a private repo with a read user group associated and a write user group associated.
In the read user group, we put all the people from the department as all people is allowed to see all the repos.
The write user group contains only people allowed to write the repo.
So, in this situation, write users are both in the read and write user groups.
Bug: if I add somebody in the read user group, the users in the write user group cannot no more write just read. To change this situation, I must add/remove a user in the write user group. And then, the write users can write again. This means that each time I add somebody in the global read group, I must also change each write group to give again write access to users. It's very difficult to work like that.
So:
1) It seems that the last saved user group supersedes the other
2) Normally, if a user is declared read in a group and write in another group, the write permission must be taken in account.
Arnaud

Comments (4)

  1. Marcin Kuzminski repo owner

    Hi, sorry for the long response on this one. This is a part of explicit permissions system introduced in 1.4.X in the mean time i'm trying to code a configurable solution, but for now, to overcome this issue please see this diff that makes the permissions work like in your description

    diff --git a/rhodecode/model/user.py b/rhodecode/model/user.py
    --- a/rhodecode/model/user.py
    +++ b/rhodecode/model/user.py
    @@ -520,21 +520,20 @@ class UserModel(BaseModel):
                 .all()
    
             for perm in user_repo_perms_from_users_groups:
                 r_k = perm.UsersGroupRepoToPerm.repository.repo_name
                 p = perm.Permission.permission_name
                 cur_perm = user.permissions[RK][r_k]
                 # overwrite permission only if it's greater than permission
                 # given from other sources - disabled with `or 1` now
    -            if PERM_WEIGHTS[p] > PERM_WEIGHTS[cur_perm] or 1:  # disable check
    -                if perm.Repository.user_id == uid:
    -                    # set admin if owner
    -                    p = 'repository.admin'
    -
    +            if perm.Repository.user_id == uid:
    +                # set admin if owner
    +                p = 'repository.admin'
    +            if PERM_WEIGHTS[p] > PERM_WEIGHTS[cur_perm]:
                     user.permissions[RK][r_k] = p
    
             # user explicit permissions for repositories
             user_repo_perms = \
              self.sa.query(UserRepoToPerm, Permission, Repository)\
                 .join((Repository, UserRepoToPerm.repository_id ==
                        Repository.repo_id))\
                 .join((Permission, UserRepoToPerm.permission_id ==
    
  2. Log in to comment