Require 2 `admin` signoffs for changes to permissions
bhearsum opened this issue · 0 comments
Currently, we calculate the signoffs required for changes to permissions by taking the full set of all product signoffs (
Line 2658 in 3ed6b80
We should adjust this to require just two signoffs in total. Ideally, it would require them from a full fledged admin (ie: has admin permission without any conditions attached). If this ends up being too difficult (it my - because it moves us from looking at "roles" when checking signoffs to looking at "permissions" -- it also may complicate the UI) -- we could consider hardcoding 2 "releng" signoffs instead. We'd have to evaluate potential security issues before going that route - most importantly, we need to make sure that nobody currently has that role that shouldn't, and cannot be granted it by anybody other than a full fledged admin.