Check API - permissions/authorisation

Stephen Finucane stephen at that.guru
Wed Jun 7 02:28:11 AEST 2017


On Tue, 2017-06-06 at 21:10 +1000, Daniel Axtens wrote:
> Hi,
> 
> One thing that has come up in discussions around CI and Patchwork is
> permissions for the checks API.
> 
> What permissions are required for a user to create a check?
> I can't find anything in the docs to tell me for sure.
> 
> I know that admin permissions are sufficient, and I have been
> unreliably informed that maintainership is sufficient.

At the moment, we rely on the 'Patch.is_editable' property to determine
this. That property allows edits to patches if the user is
authenticated and is either (a) the submitter of the patch, (b) the
delegate of the patch, (c) a project maintainer, or (d) a superuser.

> What actually is required? We probably want to make this reasonably
> granular so that, for example, the 0-day bot can be given the ability
> to create checks without needing people to trust them with any other
> rights.

We could probably loosen the above conditions: checks are associated
with a user and, since we merged '6c0bbe1' and '3fc11fea', it is
possible to distinguish which checks a user belongs to. Personally, I
would like to use Django Admin's groups or permissions to tag users
with CI permissions but this is a good chunk of work and smells of
YAGNI. Something even simpler, like letting any registered user create
a check, could do the job?

Hope this helps,
Stephen


More information about the Patchwork mailing list