Organizations: Test access from anonymous users and users outside the organization #8603
Conversation
stsewd
force-pushed
the
test-orgs-views-outside-org
branch
2 times, most recently
from
f81720d to
2566107
Compare
… organization Currently I'm checking the global option of `ALLOW_PRIVATE_REPOS` to give access to public views to users outside the org. We could introduce a privacy level for the organization if we want.
stsewd
force-pushed
the
test-orgs-views-outside-org
branch
from
2566107 to
3409571
Compare
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
@stsewd is this still a valid PR? Seems useful, so we should review it if so. |
It's, it should be ready now |
There was a problem hiding this comment.
This looks like a solid change. Also asking @humitos for a review to ✅ it, since I'm not 100% the implications here.
We could introduce a privacy level for the organization if we want.
Privacy levels are already quite confusing. We definitely don't want to add more of them unless we really need to.
| Return all teams the user has access to. | ||
|
|
||
| If ``ALLOW_PRIVATE_REPOS`` is `False`, all teams are public by default. | ||
| Otherwise, we return only the teams where the user is a member. |
There was a problem hiding this comment.
Huh.. do we want teams to always be public? I guess the example here is Orgs & Teams on .org once we enable them. I guess I'm fine defaulting them public, since everything is default public now.
There was a problem hiding this comment.
I had the same thought as Eric here. Where, or in which situations, are we going to show these teams to anonymous users?
How do other platforms work here? In GitHub for example, I don't think you have access to see all the teams inside an organization. For example, in ours https://github.com/orgs/readthedocs/people, I don't think we have a way to list backend, frontend and advocate teams there. However, on PRs I can see those teams publicly: #929. When logged in, I can access to its members as well https://github.com/orgs/readthedocs/teams/backend
Another thing that GitHub has related to permissions on teams/organizations is "I want to show publicly that I'm member of this organization". Which adds another layer of complexity here.
I'm just describing how another platform works, I'm not saying we need to implement any of this, but just to keep in mind where are we going with this and how do we want it to work.
| return self.filter( | ||
| Q(owners__in=[user]) | Q(teams__members__in=[user]), | ||
| ).distinct() | ||
|
|
||
| def for_admin_user(self, user): | ||
| """List all organizations where the user is an owner.""" | ||
| if not user.is_authenticated: | ||
| return self.none() |
There was a problem hiding this comment.
I assume these are just optimizations?
There was a problem hiding this comment.
I took a look at this and the changes look fine. However, I'm a little worried about changing the auth logic without understanding exactly why 😄 . Basically, why these changes are needed? What are their benefits? I'm not sure to follow the goal of the PR. Is it just a refactor?
We are now using .public instead of .for_user, but there is nothing extra returned on .public methods since we don't have privacy levels in organizations, so 🤷🏼 . I'm confused...
| Return all teams the user has access to. | ||
|
|
||
| If ``ALLOW_PRIVATE_REPOS`` is `False`, all teams are public by default. | ||
| Otherwise, we return only the teams where the user is a member. |
There was a problem hiding this comment.
I had the same thought as Eric here. Where, or in which situations, are we going to show these teams to anonymous users?
How do other platforms work here? In GitHub for example, I don't think you have access to see all the teams inside an organization. For example, in ours https://github.com/orgs/readthedocs/people, I don't think we have a way to list backend, frontend and advocate teams there. However, on PRs I can see those teams publicly: #929. When logged in, I can access to its members as well https://github.com/orgs/readthedocs/teams/backend
Another thing that GitHub has related to permissions on teams/organizations is "I want to show publicly that I'm member of this organization". Which adds another layer of complexity here.
I'm just describing how another platform works, I'm not saying we need to implement any of this, but just to keep in mind where are we going with this and how do we want it to work.
| def test_private_urls(self): | ||
| from readthedocs.organizations.urls.private import urlpatterns | ||
|
|
||
| self._test_url(urlpatterns) |
There was a problem hiding this comment.
Pretty hard to follow all these tests with such magic. None of them seems to do anything different one from the other (just a setting and URLs). I assume that all this magic is inside this method :/
I assume this is fine, tho, to avoid repetition, but... :(
| """ | ||
| Return all organizations the user has access to. | ||
|
|
||
| If ``ALLOW_PRIVATE_REPOS`` is `False`, all organizations are public by default. |
There was a problem hiding this comment.
I think we should probably rename this to RTD_CORPORATE or something. We have been using this setting to differentiate if we are on .org or .com lately, but it's not what the name suggests.
| @@ -72,7 +72,7 @@ def get_organization_queryset(self): | |||
| """ | |||
| if self.admin_only: | |||
| return Organization.objects.for_admin_user(user=self.request.user) | |||
| return Organization.objects.for_user(user=self.request.user) | |||
| return Organization.objects.public(user=self.request.user) | |||
There was a problem hiding this comment.
We don't have the concept of privacy level in Organizations, so I'm not sure these changes make a ton of sense.
| @@ -109,7 +109,11 @@ def get_team_queryset(self): | |||
| This will either be team the user is a member of, or teams where the | |||
| user is an owner of the organization. | |||
| """ | |||
| return Team.objects.member(self.request.user).filter( | |||
| if self.admin_only: | |||
There was a problem hiding this comment.
Where are we setting this self.admin_only?
|
@stsewd would be good to address the review comments here and get this merged, if possible. |
|
Ping @stsewd ☝️ We can also push this out some sprints or back on the backlog if it makes sense to return to this later instead. |
I'm fine with that, this isn't a priority for me at the moment, I do want to finish this some time :) |
|
Pushed it back a few sprints 👍 |
|
I'm putting this back into Q2, so we come back to this PR soon. |
|
Doing some pruning here. How likely are we to get back to this PR? Is it worth prioritizing in the near future, or should we discuss retiring this work? |
I'm fine closing this, it may be helpful when we decide to introduce organizations in community. |
Currently, I'm checking the global option
of
ALLOW_PRIVATE_REPOSto give access to public viewsto users outside the org.
I'm using the same patter we already have with projects about having a
publicqueryset.We could introduce a privacy level for the organization if we want.