Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🚀 Feature: Scaffolder task list permissions #27421

Open
2 tasks done
drodil opened this issue Nov 1, 2024 · 1 comment
Open
2 tasks done

🚀 Feature: Scaffolder task list permissions #27421

drodil opened this issue Nov 1, 2024 · 1 comment
Labels
area:permission Related to the Permission Project Area area:scaffolder Everything and all things related to the scaffolder project area enhancement New feature or request

Comments

@drodil
Copy link
Contributor

drodil commented Nov 1, 2024

🔖 Feature description

The scaffolder task read permissions do not allow the creation of complex permissions. Currently, it's only on/off with the taskReadPermission, and no possibility to add conditions.

🎤 Context

We would like to limit the listed tasks so that:

  1. The user can see his own runs
  2. The template owner can see all runs of that template
  3. If the user doesn't have read access to the template entity, the task should be hidden

The number 3 is not really that big of an issue as the template name seems to be hidden in the task list if the user does not have access to it but it still allows user to see the output + logs of the run.

✌️ Possible Implementation

Add additional conditions for the taskReadPermission. At least the following rules should be available:

  • isTaskCreator - should filter based on the createdBy column using the current user entity ref
  • hasCreatedBy - should filter based on the createdBy column in the SerializedTask
  • hasTemplateEntityRef - should filter based on the spec.templateInfo.entityRef in the spec column of SerializedTask. This requires some JSON query magic
  • hasTemplateAccess - should also filter by template entityRef but include only template references the user has access to. Probably requires a catalog call to get the entity refs.

Additionally, some other rules that could be done:

  • hasStatus - should filter by task status

👀 Have you spent some time to check if this feature request has been raised before?

  • I checked and didn't find similar issue

🏢 Have you read the Code of Conduct?

Are you willing to submit PR?

None

@drodil drodil added the enhancement New feature or request label Nov 1, 2024
@github-actions github-actions bot added area:permission Related to the Permission Project Area area:scaffolder Everything and all things related to the scaffolder project area labels Nov 1, 2024
@stephenglass
Copy link
Contributor

PR #25969 is relevant however there are still some changes requested

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area:permission Related to the Permission Project Area area:scaffolder Everything and all things related to the scaffolder project area enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants