Fix to enable changing the permission of internal repositories. #898
Conversation
Motivation: Internal repositories are initially created with the [internal](https://github.com/line/centraldogma/blob/0cf273402d70773e0aab1e2b858111a1c1c0f22c/server/src/main/java/com/linecorp/centraldogma/server/metadata/PerRolePermissions.java#L61) permission, and I previously restricted the ability to modify this permission. However, users may have valid reasons to adjust the permission settings. Modifications: - Implemented functionality to change the permission of internal repositories. - Note: The guest role remains restricted from having any permission on internal repositories. Result: - You can now have the capability to modify the permission settings for internal repositories, excluding the guest role.
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #898 +/- ##
============================================
- Coverage 66.11% 66.07% -0.04%
+ Complexity 3407 3404 -3
============================================
Files 363 363
Lines 14117 14121 +4
Branches 1509 1511 +2
============================================
- Hits 9333 9330 -3
- Misses 3921 3925 +4
- Partials 863 866 +3 ☔ View full report in Codecov by Sentry. |
| if (!guest.isEmpty()) { | ||
| throw new UnsupportedOperationException( | ||
| "can't give a permission to guest for internal repository: " + repoName); |
There was a problem hiding this comment.
For consistency with the permission of internalPermissions, should we disallow giving permissions to MEMBER for internal repositories?
There was a problem hiding this comment.
I believed we had previously discussed this matter and reached a consensus to delegate permission-granting authority to the owner for members. 😉
internalPermissions is assigned to internal repositories upon creation, and the owner has the discretion to change it at will. While I'm not strongly opposed, I see no compelling reason to restrict granting permissions to members.
There was a problem hiding this comment.
Understood.
I was confused that the permission could be also granted to dogma repo.
There was a problem hiding this comment.
Technically, I believe allowing MEMBER access to dogma can potentially allow MEMBERs to "kick" OWNERs out of projects.
I don't really know the distinction of owner and member though. If the meaning is simply to add an extra layer of authority, I guess the current change is fine.
There was a problem hiding this comment.
Ah, got it. The dogma repo is restricted from being accessed by any user, so I initially thought this would suffice:
However, for clarity, I believe it's beneficial to explicitly allow changes only to the meta repository.
| final Set<Permission> guest = perRolePermissions.guest(); | ||
| if (!guest.isEmpty()) { | ||
| throw new UnsupportedOperationException( | ||
| "can't give a permission to guest for internal repository: " + repoName); |
There was a problem hiding this comment.
Since I believe this exception will be directly exposed to the end user
| "can't give a permission to guest for internal repository: " + repoName); | |
| "Can't give a permission to guest for internal repository: " + repoName); |
| if (!guest.isEmpty()) { | ||
| throw new UnsupportedOperationException( | ||
| "can't give a permission to guest for internal repository: " + repoName); |
There was a problem hiding this comment.
Technically, I believe allowing MEMBER access to dogma can potentially allow MEMBERs to "kick" OWNERs out of projects.
I don't really know the distinction of owner and member though. If the meaning is simply to add an extra layer of authority, I guess the current change is fine.
|
|
Thanks for reviewing. 😉 |
Motivation: Despite having the necessary permissions after line#898, members were unable to access the meta repository. Modifications: - Implemented a fix to ensure that members can access the meta repository as intended. Result: - Members with appropriate permissions can now successfully access the meta repository.
Motivation: Despite having the necessary permissions after #898, members were unable to access the meta repository. Modifications: - Implemented a fix to ensure that members can access the meta repository as intended. Result: - Members with appropriate permissions can now successfully access the meta repository.
Motivation:
Internal repositories are initially created with the internal permission, and I previously restricted the ability to modify this permission. However, users may have valid reasons to adjust the permission settings.
Modifications:
Result: