[permissions] Add permission groups management #55
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit allows defining permission groups to manage the platform. By default, three permission groups are available: admin, user, and readonly. Admins and users can create and update tasks and repositories, while readonly users have view-only access. A new command is available: `grimoirelab admin set-permissions <username> <permission_group>` This allows assigning a specific permission group to a user. To add custom groups or adjust permissions, create a new JSON file based on `grimoirelab/core/settings/permissions_groups.json`, and set the environment variable `GRIMOIRELAB_PERMISSION_GROUPS_LIST_PATH` to the path of the new file. Signed-off-by: Jose Javier Merchante <[email protected]>
sduenas
requested changes
May 12, 2025
There was a problem hiding this comment.
I think we should have three groups of roles (at least for now):
- Admin: user with super powers for everything, specially manage tasks and identities.
- Manager: user to administer a set of ecosystems: add, archive and remove repositories from the ecosystem . They can't manage tasks but probably identities from
- Member: user with access to a set of ecosystems. For the moment, they can only view the info related to it. Probably, also get data and metrics using the API.
What do you think about this?
| def check_permissions(permissions): | ||
| """ | ||
| Decorator to check if the user has the given permissions. | ||
| This only works for RestFramework views. |
There was a problem hiding this comment.
What are the implications of this? I'm afraid there could be other ways to call the API, etc and have a security hole because we don't remember this only works for the RestFramework views.
| click.echo() | ||
|
|
||
|
|
||
| def _setup_group_permissions(): |
There was a problem hiding this comment.
Maybe I made this command before but, shouldn't this be a fixture? It can be like what we have in SortingHat for countries.
| self.assertEqual(response.status_code, 403) | ||
| self.assertEqual(response.json(), {"detail": "Authentication credentials were not provided."}) | ||
|
|
||
| def test_add_repository_permission_denied(self): |
There was a problem hiding this comment.
Maybe we can have something generic to try the permissions of specific actions.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR allows defining permission groups to manage the platform.
By default, three permission groups are available: admin, user, and readonly. Admins and users can create and update tasks and repositories, while readonly users have view-only access.
A new command is available.
grimoirelab admin set-permissions <username> <permission_group>allows assigning a specific permission group to a user.To add custom groups or adjust permissions, create a new JSON file based on
grimoirelab/core/settings/permissions_groups.json, and set the environment variableGRIMOIRELAB_PERMISSION_GROUPS_LIST_PATHto the path of the new file.