[#857] Permissions for dereived roles are not reflected in the UNIX permissions

Description

Summary:

Detailed description

I have two projects, where one project (B) uses the roles from the other project (A). Thus, all users that have access to SVN in A because they are part of this shared role, should have access to SVN in B. But if I run an "id login123" on the command line, the user login123 is not a part of the groups "Bscmrw" or "Bscrmro". But the login should be in one of the groups, not just in the "A_" groups.

General Information
Submitted by:
Michael Kluge
Date Submitted: 2017-07-04 06:26
Last Modified by: Nobody
Last Modified: 2017-11-02 20:00
Permalink: https://fusionforge.org/tracker/a_follow.php/857
Actions
Monitor
Votes: 0/1 (0%)
Internal Fields
Data Type: Bugs
Assigned to: Nobody (None)
State: Open
Priority: 3
Extra Fields
Resolution:
Accepted As Bug
Severity:
normal
Target Release:
none
Found in Version:
6.0.4
Follow-up tabs
Message  ↓
Date: 2017-08-11 07:42
Sender: Franck Villaume

for the SCM use-case, the anonymous role will not have access with ssh access... It is obvious but this specific situation must be handle.

Date: 2017-07-13 08:02
Sender: Franck Villaume

See duplicated [#839]

Date: 2017-07-13 07:58
Sender: Franck Villaume

Fair enough. Let see how to fix it.

Date: 2017-07-13 05:39
Sender: Michael Kluge

> I'm not sure that we want to provide SCM permissions to linked roles.

I don't see why SCM should be treated differently than other tools. If you link a role with SCM permissions to a projects, all members of that role should have the type of access that is part of the role.

> My use case: > An user "alpha" create a project "alphaproject" with SCM subversion enabled. > Should any FusionForge administrators have full permission on SCM subversion repository of the "alphaproject" ?

This is not a valid use case. The role "FusionForge Administrator" (which does not exists btw) is not linked to the project. Thus, admins might not have access.

If the semantic is like this, that admins always have access to all projects then the do have access. For the reason that most admins will also have root access to the machine, they have access anyway.

> What about global roles such as "Any Logged User"? If this role is linked to "alphaproject" with write permission to SCM subversion repository, do we really want any logged user to write to the repo?

If I set up my system like this, sure! Because I set it up to work like this. It should be my decision. The permission system should not work like "I follow permission, but ..." and then 12 undocumented exceptions. It's impossible to explain this to admins and users. And it is not even required.

> It is an open question.

Not really. The permission system should just grant the correct rights the way the rights are set up. Maybe it makes send to catch this scenario as a corner case and show a popup that says: "Are you sure about this?".

> Today's implementation is: linked roles have no SCM permission even if the role settings tells SCM permissions unless the project is public then any user can have read access. > Any opinion?

Sorry, but this should be wrong. Why is SCM different from Wiki, Files, ...? If a role has set of permission and the role is linked to my project, these roles and their permissions need to be obeyed. Everything else is a bug.

Date: 2017-07-12 14:29
Sender: Franck Villaume

I'm not sure that we want to provide SCM permissions to linked roles.

My use case: An user "alpha" create a project "alphaproject" with SCM subversion enabled. Should any FusionForge administrators have full permission on SCM subversion repository of the "alphaproject" ? What about global roles such as "Any Logged User"? If this role is linked to "alphaproject" with write permission to SCM subversion repository, do we really want any logged user to write to the repo?

It is an open question.

Today's implementation is: linked roles have no SCM permission even if the role settings tells SCM permissions unless the project is public then any user can have read access.

Any opinion?

Date: 2017-07-04 12:26
Sender: Michael Kluge

Project A and Project B use SCM subversion ? Yes

Users from Project A are members of Project B? No

Role R1 from Project A is a shared role? Yes

Project B links the role R1? Yes

Users from Project B have role R1 and have SVN access granted thru role R1? Well, these users are not directly from project B. They are part of A and have a role in A and the role is linked to B.

Date: 2017-07-04 11:22
Sender: Franck Villaume

Hi,

Need some clarification/details. Some question below: Project A and Project B use SCM subversion ? Users from Project A are members of Project B? Role R1 from Project A is a shared role? Project B links the role R1? Users from Project B have role R1 and have SVN access granted thru role R1?

No attached documents

No related commits.

Field Old Value Date By
Found in Version6.0.52017-07-13 08:02
Franck Villaume
ResolutionNone2017-07-13 07:58
Franck Villaume

No relations found.