#521  Role management with Job Privilege
Closed
bufferUnderrun opened 2 years ago

Hi,

i want my helpdesk coworker can run job so they try this before calling me at 3.00AM.

I just let them run job or access to issue but not source code so i create image.png

when i connect this a such account image_2.png

They can only re-run job but not run a specific job or set notification when job is run.

How do it :

  • let them run job base on a specific commit but not the source code
  • enable/disable notification based on job query

Thanks

Robin Shen commented 2 years ago

let them run job base on a specific commit but not the source code

If user can access commit info to run job, they have some info of the source, why not let them accessing source then.

enable/disable notification based on job query

you can subscribe to a build query to get notifications:

2022-01-10_19-44-09.png

Robin Shen changed state to 'Closed' 2 years ago
Previous Value Current Value
Open
Closed
bufferUnderrun commented 2 years ago

If user can access commit info to run job, they have some info of the source, why not let them accessing source then.

Well, that's the point !

The only place where they can run an old job is in the commit page. So they have to list the commit and commit message but NOT the source as i don't want they exfiltrate source code.

Robin Shen commented 2 years ago

I personally feel that it is not very reasonable to have users seen commits (which is necessary to run build against), but not being able to see source. Sometimes, it is even necessary to check source of the commit to make sure the job is running against right commit...

bufferUnderrun commented 2 years ago

This is for helpdesk support, they don't have the knowledge to read source code instead they read the commit message to take a decision and run the associated job.

But only owner and dev can access source code for security reason.

Robin Shen changed state to 'Open' 2 years ago
Previous Value Current Value
Closed
Open
Robin Shen commented 2 years ago

Will improve so that user can choose commit to build against in builds page.

Robin Shen commented 2 years ago

Trying to implement this, feature but turns out this feature is flawed. For instance, to find out appropriate commits to build against, OneDev may need to be able to search commits by author/file, and may also need to show branches/tags, and this discloses much of source info.

Due to this, I'd like not to implement this feature. Instead the role editing page will be improved to make sure code read privilege is also specified if job run privilege is specified.

Robin Shen changed state to 'Closed' 2 years ago
Previous Value Current Value
Open
Closed
bufferUnderrun commented 2 years ago

I understand, thanks

issue 1 of 1
Type
Improvement
Priority
Normal
Assignee
Issue Votes (0)
Watchers (2)
Reference
onedev/server#521
Please wait...
Page is in error, reload to recover