•  
      story #8141 set mediawiki access permissions
    Summary
    project admin
    set mediawiki access permissions
    I can control global access to mediawiki read and write

    How it works ?

    As a project admin, I can select the user_groups that can:

    • Access pages in READ
    • Access pages in WRITE

    This is done globally for the given Mediawiki

    The UI for permissions manipulations is done at the same place that current permissions management of MW (bureaucrat, syspo & co).

    Technically speaking:

    • the READ (access to the service) is managed at Mediawiki level (LocalSettings)
    • the WRITE is manage at Mediawiki level (LocalSettings)
    • As it's a new permission, it should act like git new permission model (with Authenticated users)
    • The permissions must be stored in a dedicated, per plugin, table (no longer gobal permissions table)

    What can go wrong (during dev) ?

    • READ cannot be managed in LocalSettings and should be done at Tuleap level

    What we'd like to do (dev) ?

    • Dedicated object to manage permissions
    • Logging/debug of how permissions are handled
    Empty
    vincent.colin-de-verdiere@st.com
    Status
    Empty
    Done
    Development
    • [ ] Does it involves User Interface? 
    • [ ] Are there any mockups?
    • [ ] Are permissions checked?
    • [ ] Does it need Javascript development?
    • [ ] Does it need a forge upgrade bucket?
    • [ ] Does it need to execute things in system events?
    • [ ] Does it impact project creation (templates)?
    • [ ] Is it exploratory?
    Empty
    Details
    #8141
    Manuel Vacelet (vaceletm)
    2015-07-16 13:21
    2015-06-11 15:52
    8165

    References

    Follow-ups

    User avatar
    Hi Vincent & all,

    LDAP based user groups will be supported. Once groups are created in Tuleap (be local groups or import of LDAP groups) they are the same.

    -- next story will be AUODP (Artifact Update Over Denis Pilat) ;)
    User avatar
    Here it is:
    Hello Guys,
    Here is my feedback ;-)
    Overall the feature seems correct to me.
    I just checked that the admin UI used to specify bureaucrat, syspo & co fits our needs (possibility to assign accesses for each group independently easily).
    Just one minor question : some groups may be binded to ldap mailing-list, is it an issue ?
    Cheers
    Vincent
    User avatar
    That's fine. I'"m waiting for VCDV feedback, but I think what you proposed includes all he needs
    User avatar

    When you said "user_groups", does it include "registered users", "project members" ?

    Yes, the objective is to have the same behaviour that what we did for git (with the management of combinatory between platform setup, project visibilty and mediawiki perm) https://tuleap-documentation.readthedocs.org/en/latest/user-guide/site-access.html#resource-configuration

    User avatar
    Manuel
    We are about to prioritize this item.
    When you said "user_groups", does it include "registered users", "project members" ?
    User avatar
    • Acceptance criteria
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    • Acceptance criteria
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar

    There are some open questions to be solved before estimation:

    • How does this map with current mediawiki permission model
    • What is the impact of current perms (bureaucrate, sysop, bot, etc), esp. does one of those perm have less "rights" than "write" for instance.