Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: permission checks for updating or viewing projects in orgs #3776

Merged
merged 1 commit into from
Aug 6, 2024
Merged

fix: permission checks for updating or viewing projects in orgs #3776

merged 1 commit into from
Aug 6, 2024

Conversation

shreddedbacon
Copy link
Member

General Checklist

  • Affected Issues have been mentioned in the Closing issues section
  • Documentation has been written/updated
  • PR title is ready for inclusion in changelog

Database Migrations

  • If your PR contains a database migation, it MUST be the latest in date order alphabetically

The problem

Prior to organizations being introduced, users with update:project on projects had permission to add, edit, and delete DeployTargetConfigs on projects. The roles that allow this currently are maintainer and owner roles (and higher level roles).

After the organizations roll out, the update:project permission on the above interactions was changed (probably incorrectly) to only allow organization administrators with the updateProject:organization permission to make changes to these configs.

Other roles that allow update:project still permit users with this permission to perform the same changes they used to do. This includes directly modifying the project settings, adding/removing metadata, and also modifying an environment to use a different deploytarget directly.

This permission change is to still allow users that previously had the update:project permission to modify DeployTargetConfigs to perform these actions, while still allowing organization adminstrators the ability to do so.

Modifying DeployTargetConfigs of a project in an organization will still require the deploytargets to be available to the organization as before, there is no change to this behaviour.

Changes

  • checkOrgProjectViewPermission
    • this is changed to check firstly if a user has the view:project permission, if not it will check if the project is in an organization or not and will then perform the organization check.
    • previous behaviour was to check organization permission, and then fall back to view:project
  • checkOrgProjectUpdatePermission
    • this is changed to now check if a user has the update:project permission, if not it will check if the project is in an organization or not and will then perform the organization check.
    • previous behaviour was to check organization permission if in an org, but no fall back to update:project. It would only check update:project if the project was not in an organization.

@shreddedbacon shreddedbacon requested a review from bomoko July 22, 2024 02:14
bomoko
bomoko approved these changes Jul 22, 2024
View reviewed changes
Copy link
Contributor

@bomoko bomoko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

makes sense.

@shreddedbacon shreddedbacon force-pushed the org-project-permission branch from de8dbfd to f2fb9df Compare July 25, 2024 04:02
@tobybellwood tobybellwood added this to the 2.21.0 milestone Jul 29, 2024
@shreddedbacon shreddedbacon modified the milestones: 2.21.0, 2.20.1 Jul 31, 2024
@shreddedbacon shreddedbacon marked this pull request as ready for review August 1, 2024 00:44
@shreddedbacon shreddedbacon force-pushed the org-project-permission branch from f2fb9df to c077026 Compare August 5, 2024 07:05
@tobybellwood tobybellwood merged commit 4d99bd2 into main Aug 6, 2024
1 check passed
@tobybellwood tobybellwood deleted the org-project-permission branch August 6, 2024 10:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bomoko bomoko bomoko approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.20.1
Development

Successfully merging this pull request may close these issues.
3 participants
@shreddedbacon @bomoko @tobybellwood