Opened 4 years ago

# show permissions for specific repos only

Reported by: Owned by: patrick ejucovy normal GitolitePlugin normal 1.0

### Description

Hi,

I have a trac setup which consists of multiple trac environments. The goal for me as TRAC_ADMIN is basically to turn each environment over to a project_manager (which is something I defined as being a little less than TRAC_ADMIN) and then they can take care of their own users and permissions etc.

So I have integrated trac-gitolite, and I have one gitolite-admin repo that is serving the multiple trac environments. Out of the box, the project_manager for project A could see and manage the repository permissions for a repo in project B which may have a different project_manager. So this isn't ideal.

Basically I added a trac_gitolite option called show_repos. This is just a list of the repos whose permissions can be managed through the web interface. It can be set on a per environment basis in trac.ini

I have attached the diffs needed to do this.

Is this useful, or did I miss the boat entirely and there was a much easier way to do this?

Thanks,

Patrick

### comment:1 Changed 4 years ago by Ryan J Ollos

I'm not familiar with the plugin, but it sounds like you may want to implement TracFineGrainedPermissions checks, and maybe check for VERSIONCONTROL_ADMIN permission rather than TRAC_ADMIN permission.

Also, usually it's preferable to submit patches in unified diff form, as described at trac:TracDev/SubmittingPatches.

### comment:2 follow-up:  4 Changed 4 years ago by ejucovy

Thanks for the patch, patrick!

At first glance patrick's approach makes more sense to me than fine-grained permission checks. It sounds like the goal here is to define which Gitolite repositories are known per Trac environment, not per user. This is necessary because Gitolite manages all repositories' configuration in a single place on the trac/git server (the gitolite.conf file) so the Trac environment is reading configuration for all repositories, whether or not it wants to.

rjollos, would you mind outlining what this would look like using fine-grained permissions? (The environment configuration, not the diff to the plugin's code.) I've never managed to understand TracFineGrainedPermissions well enough to actually implement them in an environment. I guess you would need to remove VERSIONCONTROL_ADMIN from the entire realm, and then re-grant it to the project_manager(s) for individual repositories?

### comment:3 Changed 4 years ago by ejucovy

Actually, would you mind describing your use case a bit more?

Will each Trac environment's project_manager be administering their own Trac users and permissions, or will those be shared across environments?

Do project_managers have access to create new Gitolite repositories, or just to manage permissions of (some) existing repositories?

Will project_managers be creating new Gitolite users? (i.e. by uploading SSH public keys through Trac via GitolitePlugin's /admin/versioncontrol/permissions/ panel)

How often will project_managers be managing the Gitolite users and permissions?

Depending on your setup and usage patterns, some additional GitolitePlugin enhancements might be needed, including:

• more distinct permissions -- right now there's just REPOSITORY_CREATE (create new gitolite repos) and VERSIONCONTROL_ADMIN
• filtering out some users from the Gitolite Users panel and Gitolite Permissions panel
• mapping gitolite users to trac users explicitly instead of implicitly
• supporting the use of multiple files and subdirectories to manage gitolite ssh keys and repository permissions

### comment:4 in reply to:  2 Changed 4 years ago by Ryan J Ollos

rjollos, would you mind outlining what this would look like using fine-grained permissions?

I've had an interest in this plugin anyway, so I'll take a look at the code this week and let you know.

### Modify Ticket

Change Properties