Joey
12/03/2021, 5:49 PMsite
, and have a namespace be either a user namespace or org namespacebryana
12/03/2021, 5:50 PMbryana
12/03/2021, 5:51 PMJoey
12/03/2021, 5:51 PMJoey
12/03/2021, 5:51 PMJoey
12/03/2021, 5:51 PMJoey
12/03/2021, 5:52 PMnamespace:user-userid
Joey
12/03/2021, 5:52 PMnamespace:org-orgid
Joey
12/03/2021, 5:52 PMJoey
12/03/2021, 5:52 PMJoey
12/03/2021, 5:52 PMbryana
12/03/2021, 5:53 PMbryana
12/03/2021, 5:54 PMJoey
12/03/2021, 5:54 PMJoey
12/03/2021, 5:54 PMJoey
12/03/2021, 5:54 PMJoey
12/03/2021, 5:55 PMJoey
12/03/2021, 5:55 PMorganization
exist for each user as well, but then its just another kind of namespace 🙂bryana
12/03/2021, 5:57 PMJoey
12/03/2021, 5:57 PMbryana
12/03/2021, 6:15 PMJoey
12/03/2021, 6:16 PMJoey
12/03/2021, 6:16 PMbryana
12/03/2021, 6:19 PMsite
for other use cases so now that i'm thinking about it I should probably re-use thatJoey
12/03/2021, 6:21 PMJoey
12/03/2021, 6:21 PMJoey
12/03/2021, 6:44 PMBryan
12/03/2021, 7:18 PMdelete_issue
). A user can be a member of that role and a repo can be related to various roles.
The Problem
This a rough approximation of the intended behavior, but falls apart pretty quickly. Consider the scenario where two users monalisa
and geoff
are to be granted the repo_manager
role on repo1
and repo2
, respectively. In real life, monalisa
gets repo_manager
on repo1
, but has no permissions over repo2
and vice-versa for geoff
. However, as the assertions show with this model, any member of repo_manager
gets the repo_manager
permissions on ALL repos that have a relationship with repo_manager
. If there were a third user jeeves
who was given membership of the repo_manager
role, they would get permissions on repo1
and repo2
instantly.
I read the blog post on user defined roles (https://authzed.com/blog/user-defined-roles/). It's almost what I need, but is structurally different from how roles at GitHub work. Repos don't "own" the roles. In the blog post, a role is defined on a per-project basis. The admin
role "belongs" to the pied_piper
project. It couldn't be re-used in a different project.Bryan
12/03/2021, 7:18 PMJake
12/03/2021, 7:35 PM