vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Change permissions model so that non-admins do not get org-wide read

Browse source 
Fixes #1684
This commit is contained in:
Joseph Schorr 2016-08-04 16:23:09 -04:00
parent 5a4e557d90
commit c4daf1cc3d
5 changed files with 225 additions and 102 deletions
Download patch file Download diff file Expand all files Collapse all files

8
auth/permissions.py
View file

@ -29,10 +29,10 @@ REPO_ROLES = [None, 'read', 'write', 'admin']
TEAM_ROLES = [None, 'member', 'creator', 'admin']
USER_ROLES = [None, 'read', 'admin']
TEAM_REPO_ROLES = {
TEAM_ORGWIDE_REPO_ROLES = {
'admin': 'admin',
'creator': 'read',
'member': 'read',
'creator': None,
'member': None,
}
SCOPE_MAX_REPO_ROLES = defaultdict(lambda: None)
@ -143,7 +143,7 @@ class QuayDeferredPermissionUser(Identity):
logger.debug('Organization team added permission: {0}'.format(team_org_grant))
self.provides.add(team_org_grant)
team_repo_role = TEAM_REPO_ROLES[team.role.name]
team_repo_role = TEAM_ORGWIDE_REPO_ROLES[team.role.name]
org_repo_grant = _OrganizationRepoNeed(team.organization.username,
self._repo_role_for_scopes(team_repo_role))
logger.debug('Organization team added repo permission: {0}'.format(org_repo_grant))