Write / Read Permissions for specific units are ignored #2687
Description
- Gitea version (or commit ref): 339d7de
- Git version: 2.14.1 (Windows)
- Operating system: Linux Alpine (Gitea Docker)
- Database (use
[x]):- PostgreSQLMySQLMSSQLSQLite
- Can you reproduce the bug at https://try.gitea.io:
- Log gist:
Description
When using organisations and teams there are permission settings for these teams. Available options are
- Read Permissions (with units that can be selected below)
- Write Permissions (with units that can be selected below)
- Admin Permissions
I created a team called WikiAuthors and only enabled them write access to the wiki. When testing the WikiAuthors could still change files in the code segment, accept pullrequest, etc (see try.gitea above).
When setting WikiAuthors to Read Permission and only for the unit Wiki, they could still see everything else but furtunetly not edit anything (except creating issues and pull requests) (see try.gitea above).
A simmilar problem arises when enableing branch protection. Users of a Team that is not whitelisted can still force push into a protected branch (this was not tested in the try.gitea version).
Am I using the permission system wrong or is it not fully implemented yet?
It seems that Gitea only cares about whether or not at least one write/read permission is set.
This Issue is somewhat related to #2684 as a broader issue concerning the permission system.
Screenshots
Metadata
Metadata
Assignees
Type
Projects
Relationships
Development
Participants
Activity
[-]Write Permissions for specific units are ignored[/-][+]Write / Read Permissions for specific units are ignored[/+]Morlinest commentedon Oct 11, 2017
I think everyone can see everything because your org and repo is public. Try to make repository private first.
TheRealPowerCoder commentedon Oct 11, 2017
I have tried your suggestion that setting the repo to private might change things. Yes it does work for read permissions. It makes sense that everybody can see everything if the repo is public.
However write permissions on the other hand are still problematic. Unless the repo is set to private, the unit settings will be ignored and everyone with at least one write permission has repo wide write access. Our repo has to be public but with units affecting write permissions, as I dont want everybody to have access for writing in the Wiki or creating releases.
As it stands now my original issue still exists: Unit Write Permissions dont affect access level unless repo is made private. If the repo is private I am unable to say that WikiAuthors have write access to the wiki and still are able to__read__ otherparts of the repo.
Seperate read and write unit permissions with at least write permissions still being affective in public repos could solve the issue.
lunny commentedon Oct 15, 2017
I think the problem is we want some team could
or something like this.
Now we only support Read or Write all team's Units.
This should be an enhancement of team settings.
terrywh commentedon Nov 28, 2018
are there any news on this ? is this related to #5308 / #5307 ?
lunny commentedon Nov 28, 2018
This should be fixed by #5314
lunny commentedon Nov 28, 2018
Please feel free to reopen.