Create/fork repo permissions should be decided taking both user and repository group into account

Issue #730 resolved
Mats Andreassen
created an issue

I've investigated the possibilities for limiting where a user can create/fork a repo in the Rhodecode web interface. It appears to me that this can only be set globally (either using the default settings or overriden by group adherence).

It would be desirable to able to limit this to a specific repository group for a specific user or users (belonging to a group).

E.g. in my company we create /users/<username> repository groups where users can create and fork to their hearts content, but elsewhere in the repository other rules apply.

Comments (8)

  1. Mats Andreassen reporter

    I realise I might have made a hasteful conclusion here. While testing the permission system, I must admit I did not attempt to actually create a repo and earlier today I encountered a "no permission to create repo" message.

    Is there some disconnect between the permission system and the displaying of the "Create new repository" button?

  2. Marcin Kuzminski repo owner

    The button should be hidden when you don't have permission to create repos. Can you present a case when you were able to see the button, and don't have permission to do it ?

  3. Mats Andreassen reporter

    Let's see...

    • Default permissions are set thusly: create/fork repo is disabled.
    • A user group is created which overrides the default permissions by enabling create/fork repo.
    • A user is created and added to the user group.
    • A repository group is created and the user group is given READ permission on said group.

    The user can now click the 'add repo' button but actually pressing 'add' a red text appears beside the "repo group" selection box saying: "You don't have permissions to create repository in this group".

    Further details: 1) The "repository group" selection box is always empty initially regardless of which group you were browsing when you press "add repo". The user therefore has to select the correct group. 2) The user is actually able to create a repo on the root level. Where can this be controlled?

  4. Marcin Kuzminski repo owner

    """The user can now click the 'add repo' button but actually pressing 'add' a red text appears beside the "repo group" selection box saying: "You don't have permissions to create repository in this group"."""

    The list of repos in there are all you have a READ permission for. This is why the validation of can you really create repositories are made when you create.

    Now when i think over this, i think it should be really a list with write+ permission only.

    re #1 - this is now fixed in beta branch

    NOTE: beta branch has also a new functionality called group management delegation, it work basically in a way that when someone has an admin permission for a group he can control that group, create subgroups/repos inside.

    re #2 - need to check that case little more, since you can set create repo permission to disabled, that disables creation of repositories EVERYWHERE. i think the group management delegation, should change that behavior to EVERYWHERE except when you're an admin of a group

  5. Mats Andreassen reporter

    Group management delegation sounds great! Very useful, indeed.

    I agree that the repo group selection box should only have valid values inside it (i.e. groups for which the user has WRITE+ permissions). Would this entail that the "Add repository" button will be invisible or at least disabled in repo groups where the user lacks WRITE+ permissions?

    Regarding the last case: should it not be "except when you have WRITE+ permissions for a group" since we are talking about repo creation. When we are talking about repo group creation, as I see it, then group admin permission is required. Please correct me if I'm wrong. :)

  6. Marcin Kuzminski repo owner

    So "I agree that the repo group selection box should only have valid values inside it (i.e. groups for which the user has WRITE+ permissions). Would this entail that the "Add repository" button will be invisible or at least disabled in repo groups where the user lacks WRITE+ permissions?" <= all this is now implemented in beta.

    and as for second part, then yes it should be except when you have WRITE+ permission. But i need some time to implement this case.

    Feel free to close this issue and open a new one with a case of only allowing creation of repositories in a group and not in root.

    Cheers

  7. Log in to comment