grant restricted users access to git repositories
I can have open source projects where everyone can access my repositories on my "restricted" platform
Enable the feature (as project admin)
- A project admin must enable this possibility at project level. For public projects only
- When the feature is enabled, there is a log in history to keep track of this
- A warning is displayed to ensure admin understands what is doing. The warning includes:
- Info about project being listed in Project tree
- Info about services being listed (but not accessible)
- Info about the summary page being public (with all widgets without specific permissions checking)
- There is a forge upgrade to explicitlely change all "all_users/anonymous" to "registered users" when the platform is configured to forbid anonymous access
- When the project admin revoke the option, the permissions granted to "authenticated users" already set are revoked.
- It means that when you untick "use restricted users" option as a project admin, you will have to set permissions on "restricted users" again if you reactivate this option in the future
- The other permissions are not affected
- When the option is activated, the project is listed in "project tree" and trove cat
- When a restricted user access this project, nothing but Git service is actually browsable. Only 'git' and 'summary page' services are displayed.
- As long as no repository is granted to restricted users, the repository list is empty
Usage (as git admin)
- In permissions section, the permission select box displays:
- Anonymous users (correspond to all_users) only displayed is the platform allows it
- Authenticated users (corresponds to previous registered_users + restricted)
- Registered users (to be renamed to something smarter)
- Project members
- When permissions are used in API (REST routes on /git), the permissions are listed as:
- Anonymous => all_users
- Authenticated => authenticated_users
- Registered/New name => registered_users
- In other terms, the technical names in the API doesn't change but we introduce "authenticated_users" as a new possibility.
- "$sys_allow_anon" and "$sys_allow_restricted_users" parameters needs to be imported as DB configuration elements (now they are in /etc/tuleap/conf/local.inc). With a forge upgrade
- We need to manage it in DB (and with site admin configuration panel because we need to detect the change of those settings to properly update repository permissions.
- Changes to be propagated:
- When the site admin disable usage of anonymous:
- All git repositories granted to "Anonymous" are updated to be granted to "Registered"
- When the site admin disable usage of Restricted users:
- All git repositories granted to "Authenticated" are updated to be granted to "Registered"
- Project admin use of "Authenticated users" group is revoked
- Those changes are recorded in project history
- This need to be placed in a new code (permissions.php is rotten) with a clean and tested implementation
- The objective is to validate the new code with git and to progressively deploy it for all services once it's validated
- When completed for all services, the custom "restricted_user_permissions.txt" (site-content/en_US/include will be removed)
Nouha Terzi (terzino), Denis PILAT (denis_pilat), francois jean-marie (francoisjean-marie)