pagure

Clone

#5063 Add an API endpoint to check user ACLs on package/branch
Closed: Fixed 3 years ago by pingou. Opened 3 years ago by mattia.

Closed: Fixed
Reopen Issue

Following https://pagure.io/fedora-infrastructure/issue/9510 I think Bodhi could enjoy having an API endpoint in Pagure to check user's ACLs on a specific package/branch.

I think something like this, but before trying to write down the code I would like your thoughts:

    List user ACLs for a given package / branch
    -------------------------------------------

    Use this endpoint to retrieve a list of permissions a user has
    on a specific package / branch.

    ::

        GET /api/0/user/<username>/acls

    ::

        GET /api/0/user/dudemcpants/acls

        GET /api/0/user/dudemcpants/acls?package=bodhi

        GET /api/0/user/dudemcpants/acls?package=bodhi&branch=master

    Parameters
    ^^^^^^^^^^

    +---------------+----------+--------------+-----------------------------+
    | Key           | Type     | Optionality  | Description                 |
    +===============+==========+==============+=============================+
    | ``username``  | string   | Mandatory    | | The username of the user  |
    |               |          |              |   whose acls you are        |
    |               |          |              |   interested in.            |
    +---------------+----------+--------------+-----------------------------+
    | ``package``   | string   | Mandatory    | | The package name to check |
    |               |          |              |   ACLs for the given user.  |
    +---------------+----------+--------------+-----------------------------+
    | ``branch ``   | string   | Optional     | | The branch name to check  |
    |               |          |              |   ACLs for the given user.  |
    +---------------+----------+--------------+-----------------------------+

    Sample response
    ^^^^^^^^^^^^^^^

    ::

        {
          "args": {
            "branch": "null",
            "package": "bodhi",
            "username": "dudemcpants",
          },
          "user_acls": [
            "admin"
          ],
          "usergroups_acls": [
            "commit"
          ],
        }

    or::

        {
          "args": {
            "branch": "f33",
            "package": "pagure",
            "username": "dudemcpants",
          },
          "user_acls": [
            "collaborator"
          ],
          "usergroups_acls": []
        }

Does it make sense to have the "collaborator" ACL showed only when the branch parameter is specified in the query?

Another possible, more simple, reply that only says if the user has admin or commit access to the repo, without distinguish between user and group rights:

    Sample response
    ^^^^^^^^^^^^^^^

    ::

        {
          "args": {
            "branch": "null",
            "package": "bodhi",
            "username": "dudemcpants",
          },
          "acls": {
            "admin": True,
            "commit": True
          }
        }

    or::

        {
          "args": {
            "branch": "f33",
            "package": "pagure",
            "username": "dudemcpants",
          },
          "acls": {
            "admin": False,
            "commit": True
          }
        }

With this reply, external services don't need any code logic to check if a user has commit access to a repo, they will rely completely on Pagure.

Metadata Update from @ngompa:
- Issue tagged with: RFE, discussion, pkgs.fp
3 years ago

So we currently have an API endpoint that will return all the contributors of a project with their corresponding access level, for example: https://pagure.io/api/0/pagure/contributors (doc at: https://pagure.io/api/0/#projects-tab Contributors of a project).

I do like the idea of the endpoint you're suggesting here. It could be a little simpler than your prototype here as it won't return admin access only commit True/False or do you really need the admin info?

I'm also thinking it may belong more to the project than the user, ie:
more GET /api/0/<namespace>/<name>/hascommit?user=<username>&branch=<branch> then GET /api/0/user/<username>/acls.

I think it would probably be better for forward-thinking purposes to return detailed role information, especially since collaborators makes this more complicated anyway.

I think it would probably be better for forward-thinking purposes to return detailed role information, especially since collaborators makes this more complicated anyway.

is this not https://pagure.io/api/0/pagure/contributors ?

So we currently have an API endpoint that will return all the contributors of a project with their corresponding access level, for example: https://pagure.io/api/0/pagure/contributors (doc at: https://pagure.io/api/0/#projects-tab Contributors of a project).

Ah, I missed that endpoint when I filed my proposal.

I do like the idea of the endpoint you're suggesting here. It could be a little simpler than your prototype here as it won't return admin access only commit True/False or do you really need the admin info?

Since Bodhi only cares if a user has commit access to package to allow them to create/edit updates, I think a commit True/False would be enough. Simple and clean.

I'm also thinking it may belong more to the project than the user, ie:
more GET /api/0/<namespace>/<name>/hascommit?user=<username>&branch=<branch> then GET /api/0/user/<username>/acls.

Yes, based on the above commit True/False it would be better under project endpoint.

Ah, I missed that endpoint when I filed my proposal.

I think it had just been developed when your proposal landed :)

Anyway the PR https://pagure.io/pagure/pull-request/5087 should implement the endpoint we're discussing here, do you want to check it?

Commit 75fbc38 fixes this issue

Login to comment on this ticket.

Metadata
None

discussion RFE pkgs.fp

None
None
None
None
Related Pull Requests
  • #5087 Merged 3 years ago
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.