•  
      story #12554 have private projects without restricted members
    Summary
    Empty
    have private projects without restricted members

    I can ensure external people won't have access to sensitive informations

    Overview

    As of today, when platform is configured to mandate login, there are 3 levels of project

    • public incl. restricted: all authenticated users can access the project
    • public: accessible only by active users
    • private: accessible only be project members

    It's proposed with this story to

    • add a 4th level: "private without restricted".
      • project admins cannot add as member someone who is restricted
    • have 4 different icons that allows to clearly identify each level

    Acceptance criteria

    • Project admin can no longer add restricted users to project members (and user groups)
      • Users are not proposed in autocompletion
    • Restricted users that try to access a "private w/o restricted" project doesn't have the possibility to request access, they are getting a 404 error.
    • When a user is switched to restricted, the user is removed from all projects that are "private w/o restricted" (and all user groups)
      • There is a warning message to confirm the action (User is going to be removed from X projects).
    • When a project is switched to "private w/o restricted", all restricted users are removed from project members (and all user groups)
      • There is a big warning message specific to this switch to confirm (when there are restricted): "X users are going to be removed from this project".
    • Binding of user groups must filter restricted users when target group is a "private w/o restricted" project.
    • On LDAP sync of user groups, the users are filtered to remove restricted that should land in "private w/o restricted" project.
      • Warning, user filters (that control how users are created/updated on the platform from LDAP) must be applied before the "private w/o restricted" filter.
    • XML export
      • When platform is configured with access to "Anonymous" or "Authenticated", project are exported like
        • public
        • private
      • When platform is configured with access to "Autenticated + Restricted", projects are exported like
        • public-with-restricted
        • public
        • private-with-restricted
        • private
    • XML import should reject creation that doesn't comply with constraint
      • When platform is configured with access to "Anonymous" or "Authenticated", projects can be imported with following access level (other levels trigger an error):
        • public
        • private
      • When platform is configured with access to "Autenticated + Restricted", projects can be imported with following access level
        • public-with-restricted
        • public
        • private-with-restricted
        • private
    • SOAP and REST API must also enforce the constraint
    • The 4 level of project access must be managed a project creation
      • Should be proposed in the web UI
      • Should be managed as default value for project creation
        • The local.inc config "$sys_is_project_public = 1;" is put in the DB (and can manage de 4 possible default values) and managable by the web ui and "tuleap set-config" CLI

    Implementation concerns

    The implementation is done with double safety in mind (aka ceinture & bretelles). That means that, in addition to ensure that when a user becomes restricted or when a project becomes private (w/o restricted), the people are removed from said projects. In addition to that, the implementation is done so if it ever happens that a restricted user ends-up being member of a private (w/o restricted) project, the checks are there to ensure they still cannot access it.

    However this comes at a cost and limitations. The main limitation is that it cannot work for all UNIX related features:

    • proftpd plugin
    • direct ssh or ftp access
    • cvs support

    For those services, the only protection that will apply is "restricted users are removed from private projects".

    Geoffroy Grelot (ggrelot)
    Status
    Empty
    Done
    Development
    • [ ] Does it involves User Interface? 
    • [ ] Are there any mockups?
    • [ ] Are permissions checked?
    • [ ] Does it need Javascript development?
    • [ ] Does it need a forge upgrade bucket?
    • [ ] Does it need to execute things in system events?
    • [ ] Does it impact project creation (templates)?
    • [ ] Is it exploratory?
    Empty
    Details
    #12554
    Manuel Vacelet (vaceletm)
    2019-04-07 01:00
    2018-11-26 17:22
    4197

    References
    Referencing story #12554

    Git commit

    tuleap/tuleap/stable

    Introduce 4th project access option 7c45624c16
    Display relevant project icon for restricted platform. aac975910d
    Forbid access to a private project to restricted member afc4726524
    Display new icons in MyProjects widget. 19e4a8feac
    Do not expose projects in navbar, project creation, and rest fbd2d8ecf6
    XML Export project access with actual value 8ab1c5dcb1
    On platform switch to 'No restricted', usage of `private incl. restricted` is removed b4bef963c1
    Fix icons when platform does not allow restricted e954973ad3
    Same opacity for public and unrestricted projects 70dfc0a38d
    Move ProjectXMLImporterTest to phpunit 7dc96377d3
    XML import refuse to create project with access invalid WRT site config ed7fd14323
    Webdav enforce check of user/project access with core API 71aafd3878
    Fix incorrect type hint in BurningParrot project presenter 8ff8d98e4f
    request #13198: REST endpoint GET /artifact_files/{id} does not verify all the artifact/tracker permissions a669d6ef7c
    Check restricted access in SVN 279042d85a
    REST API enforce check of user/project access with core API. 703311a342

    Follow-ups

    User avatar
    First steps of this story done in Tuleap 11.0.
    Remaining work has been moved to story #13237.

    • Status changed from On going to Done
    • Category set to
    User avatar

    Another bunch of AC update following implementation findings.


    • Acceptance criteria
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar

    Update AC with today's findings


    • Acceptance criteria
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2019-03-19 11:09
    gerrit #14408 integrated into Tuleap 10.11.99.119.

    • Acceptance criteria
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    • Status changed from Ready (stalled) to On going
    User avatar
    • Acceptance criteria
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    • Acceptance criteria
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    • CC list set to Geoffroy Grelot (ggrelot)
    User avatar
    Reflects the submitted usecase correctly. I personnally view version 'a' of the mockup as the clearer, though it could be more consistent to display the open lock for "public including restricted' and an open lock with strikethrough 'R' for "public without restricted", i.e. similar to the proposal for private projects.
    User avatar