On Tue, Mar 28, 2017 at 07:08:34PM +0200, Aurelien Bompard wrote:
We talked about authorizations at the hubs meeting today, and I'll
try to summarize what I understood from the requirements.
- FAS users have groups in FAS itself, and they have roles for these
groups (member / sponsor / admin)
- OIDC provides a way to get the groups of a logged-in user
- the new API that puiterwijk is developing will provide (a way to
request) the roles a user has in a group
- hubs aren't necessarily named after their FAS group, this
association has to be done manually by a site admin (upon creation or
- once that is done, the FAS groups and roles will be used to limit
actions on a hub
- it will be possible to request membership for a hub. Group members
with the sponsor or admin roles will be able to approve or deny it
directly from Hubs
- group admins will be able to set the hub metadata
So far so good :)
- a hub can also have a global visibility setting :
* public if anybody can see the content (including not logged-in visitors)
* preview if some information is not accessible to anonymous users,
and the rest is accessible to any logged-in user.
* private if only group members can see the content
Where would the data for preview and private be coming from?
If everything is coming from fedmsg, then everything is public.
I would caution going to retrieve private information off systems (I'm not sure
we should expose private pagure ticket into a 3rd party app (here hubs) as it
means more layers of security to consider/validate.