Permissions issues
ericsoco opened this issue · 6 comments
The intended permissions are as follows:
- Any member of
open-redist
can create a new project. - Anyone can create a new proposal.
However, I ran into some last-minute permissions issues trying to make these things possible:
- It's not enough for a user to be a member of
open-redist
; the member must publicize his/her membership viaopen-redist
's people page.
I ran into problems with the endpoint for checking all members (whether public or not) 302 redirecting and breaking the preflight request; instead, we use the endpoint for public members and therefore require public membership to create a project.
I'm not sure how to fix this problem; I expected the all-members API request to work, especially if the requester is a member of the org. But it does not.
- In order to create a proposal, a user must be an owner of
open-redist
. I believe this is due to the flow used to create a proposal:
- first, a branch is created on the repo;
- then, the PR is issued from that.
If the user is not an org owner / repo admin, the user has no rights to create a branch directly on the project repo; instead, a pull request (proposal) can only be made from a fork. The fix to this is most likely to programmatically (via the API) create a fork and issue the PR from that, instead of creating a branch directly on the repo.
Uuuugggghhhhhhh. Somebody needing to be a contributor to the repo in order to make a pull request is grim. That's a bar for participation that's so high as to rule out nearly anybody from outside the organization from being able to make proposals.
What is the reason that we can't do anything with pull requests from an individual's GitHub account? I'm afraid I don't follow that.
We can do that. I just have to rewrite the proposal creation flow to do so.
Will make it a priority.
Sorry this didn't come up sooner -- I've been testing mostly as an open-redist
member and the API flows can be byzantine when you factor in Git, GitHub, and OAuth scopes. There are many paths to each of the features here, and I chose the wrong one apparently >.<
I should amend the previous comment to say "I think we can do that."
My primary concern is around revisions to proposals. Not sure how that will work across repos. Have to figure it out.
Ok, the particularly egregious problem (no. 2 above) is now fixed -- proposals happen via a fork on the viewer's GH account. I think the requirement that a user be a public member of open-redist
in order to create a project is ok, but @waldoj I'd like to hear your thoughts.
I think it's just fine. Better than fine—I think it's preferable. Let's call this a feature, not a bug. :)
Feature implemented! ✔️