Group permission does not respect repository permission

Issue #600 resolved
Thomas Chojecki
created an issue

Hi, I try to create repositories that are Read-Only for the group _authenticated. Each user that want to write into this "master" repository, should create a fork.

This fork should be RW for every _authenticated user.

So I created the group _authenticated and give it the "All Repositories (Write)" access permission. In the master repository I set the group permission for _authenticated to READ.

If a authenticated user try to push into this repository, he can. The repository permission does not take effect.

I would expect, that the repository permissions would prevent the authenticated user to write into this repository.

Comments (6)

  1. Sebastian Sdorra repo owner

    Hi, if you add write permissions for the group _authenticated, this means that every can write to every repository. The SCM-Manager permission are not overridable. You could add read permissions to the _authenticated group and when a user creates a fork the fork plugin will register the user as owner of the fork automatically. But note administrators can write always to every repository. I will create a wiki page in the next few days to clarify these things.

  2. Thomas Chojecki reporter

    Hi Sebastian, thanks for the fast response, yes this is my aim to give every logged in user the ability to write in every repository. But I want a group of repositories that are RO. So every user at the company can fork this repository and do his features. This fork will be used from as many users as are involved to implement the feature.After all work is done, a changeset will be created and reviewed. If the review went positiv, the changes will be pushed to the RO repository by an admin.

    So at the moment the permission system is a bit limited and there is no easy way to solve the problem with group permissions.

    And if we need to tell every developer he should change the permissions after forking to give specific users RW access, this will go beyond the scope.

    A option to change the inherit of permissions will be a big help.

    BTW I tried to check out the scm manager to take a look at the code, but the project isn't buildable. There are some SNAPSHOT dependencies that does not exist anymore in the repository.

  3. Sebastian Sdorra repo owner

    The user must not change the permissions of the repository, because the the fork-plugin copies the repository permissions. You could create your "master" repository assign read privileges for the _authenticated group. A user is now able to fork the repository and becomes automatically owner privileges for his fork, after he has finished his feature he could send a pull request.

  4. Log in to comment