This repository was archived by the owner on Sep 30, 2024. It is now read-only.
[Backport 5.0] batches: add organization setting to enable all members of org to become batch changes admins#52655
Merged
Merged
Conversation
BolajiOlajide
approved these changes
May 30, 2023
Contributor
|
Quick context for historical purposes: This is a high-impact change that was flagged as a blocker for https://github.com/sourcegraph/accounts/issues/3, https://github.com/sourcegraph/accounts/issues/580 after 5.0 and planned by the team to go out in a patch release before 5.1. |
Contributor
|
Arg I forgot https://github.com/sourcegraph/sourcegraph/pull/50604 was separate. Will backport that first, then rebase this to make sure builds are passing. |
…ome batch changes admins (#50724) Closes https://github.com/sourcegraph/sourcegraph/issues/50447 [Walkthrough](https://www.loom.com/share/895f3b1fe45d4d0a93cc4618ce51bfbf) sourcegraph/accounts#3 identified some areas where Batch Changes didn't solve some of their use cases. One is that Batch Changes created in an org namespace can only be operated by a site admin or the same user who created it. This PR is a band-aid fix; the hope is that this is appropriately addressed when support for Batch Changes and teams is worked on. I created a method in the `batches` service package to check for access to a batch change. The breakdown of the logic of the method is as follows: - If a Batch Change is in a user namespace, check if the current user is a site admin or the same user - If a Batch Change is in an org namespace, then we check the organization settings for `orgs.allMembersBatchChangesAdmin` boolean field: - If false, we default to the existing check for if the current user is a site admin or the same user - If true, we check if the user belongs to the org or is a site admin or the same user The following resolver operations are affected by this change: | Operations | |---| | MoveBatchChange | | CloseBatchChange | | DeleteBatchChange | | EnqueueChangesetSync | | ReenqueueChangeset | | ApplyBatchChange | | CreateChangesetJobs (this is used for all bulk operations) | The following resolver operations remain unchanged: | Operations | |---| | CreateEmptyBatchChange | | UpsertEmptyBatchChange | | CreateBatchSpec | | CreateBatchSpecFromRaw | | ExecuteBatchSpec | | CancelBatchSpec | | ReplaceBatchSpecInput | | UpsertBatchSpecInput | The logic for the above operations requires the current user to have access to the namespace regardless of where it was created (user or org namespace). ## Test plan * `org.allMembersBatchChangesAdmin` enabled - You'll need to create an organization and navigate to the settings page for the organization [`/organizations/sourcegraph/settings`](https://sourcegraph.test:3443/organizations/sourcegraph/settings). - In the settings page, set the value of `orgs.allMembersBatchChangesAdmin` to true (this will grant all members of the organization the ability to perform some administrative tasks on Batch Changes created in the org namespace) - Create a Batch Change in the organization namespace. - Access the Batch Change with another user account; this account shouldn't be a site admin but should be a member of the org you created. - This new account should be able to perform the following actions on the Batch Change created by the previous user in the org namespace: | Operations | |---| | MoveBatchChange | | CloseBatchChange | | DeleteBatchChange | | ApplyBatchChange | | Retry a changeset in failed state | | All bulk operations | * `org.allMembersBatchChangesAdmin` disabled or not set - You'll need to create an organization and navigate to the settings page for the organization [`/organizations/sourcegraph/settings`](https://sourcegraph.test:3443/organizations/sourcegraph/settings). - Create a Batch Change in the organization namespace. - Access the Batch Change with another user account; this account shouldn't be a site admin but should be a member of the org you created. - The non-site admin account shouldn't be able to perform the following actions on Batch Changes created in the org namespace: | Operations | |---| | MoveBatchChange | | CloseBatchChange | | DeleteBatchChange | | ApplyBatchChange | | Retry a changeset in failed state | | All bulk operations | (cherry picked from commit 8f73e37)
8b05ce3 to
1ae6ba5
Compare
Member
|
@courier-new I went ahead and landed the dependent PR then rebased this one onto 5.0. Will enable auto-merge. |
Contributor
|
Codenotify: Notifying subscribers in CODENOTIFY files for diff 8ae3a98...1ae6ba5.
|
Contributor
Thank you, Keegan. I'm slotting in for @courier-new here since she's away in dreamland - I'll be monitoring and ready to swoop in if the need arises for CI fixes. |
Contributor
|
Thank you both!! 🙇♀️ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes https://github.com/sourcegraph/sourcegraph/issues/50447
Walkthrough
https://github.com/sourcegraph/accounts/issues/3 identified some areas where Batch Changes didn't solve some of their use cases. One is that Batch Changes created in an org namespace can only be operated by a site admin or the same user who created it.
This PR is a band-aid fix; the hope is that this is appropriately addressed when support for Batch Changes and teams is worked on.
I created a method in the
batchesservice package to check for access to a batch change. The breakdown of the logic of the method is as follows:orgs.allMembersBatchChangesAdminboolean field:The following resolver operations are affected by this change:
The following resolver operations remain unchanged:
The logic for the above operations requires the current user to have access to the namespace regardless of where it was created (user or org namespace).
Test plan
org.allMembersBatchChangesAdminenabledYou'll need to create an organization and navigate to the settings page for the organization
/organizations/sourcegraph/settings.In the settings page, set the value of
orgs.allMembersBatchChangesAdminto true (this will grant all members of the organization the ability to perform some administrative tasks on Batch Changes created in the org namespace)Create a Batch Change in the organization namespace.
Access the Batch Change with another user account; this account shouldn't be a site admin but should be a member of the org you created.
This new account should be able to perform the following actions on the Batch Change created by the previous user in the org namespace:
org.allMembersBatchChangesAdmindisabled or not setYou'll need to create an organization and navigate to the settings page for the organization
/organizations/sourcegraph/settings.Create a Batch Change in the organization namespace.
Access the Batch Change with another user account; this account shouldn't be a site admin but should be a member of the org you created.
The non-site admin account shouldn't be able to perform the following actions on Batch Changes created in the org namespace:
Backport 8f73e37 from #50724