Allow site config to be overridden by trusted users #112
Conversation
|
This does away with the JSON approach of #60 as that adds no real security. Instead we can maintain a list of trusted OAuth accounts that will be allowed to use the site config feature. Anyone who is V+2 can be added to this list, as V+2ers can already execute arbitrary code on the server. To begin with we should use the regex feature to allow |
|
Would love to be able to do this, but how exactly does the code detect if a user is V+2? OAuth connects to SUL, and being able to vote V+2 is based on gerrit permissions on an account that may not be connected. |
|
This patch requires us to manually maintain a list of trusted users. |
|
I like this but I'd also like to avoid maintaining that list for the rest of my life, hmm… |
|
One could host the user list in a Gerrit repo, then v+2ers could add themselves. |
That would also require CR+2, though that should not be a problem since the two usually go together. Sounds like a good idea to me. New repo, something like |
edg2s
force-pushed
the
config
branch
2 times, most recently
from
776e4b8 to
75dba6b
Compare
| // Same as above, but regexes e.g. / \(WMF\)$/ | ||
| 'configurersMatch' => [], | ||
| // Instructions to request 'configurers' user status, e.g. "File a request <a href=...>here</a>." | ||
| 'configurersRequestHtml' => '', |
There was a problem hiding this comment.
Suggested config for us:
Request approval by creating a <a href="https://github.com/MatmaRex/patchdemo/issues/new">new issue</a>.
Fixes #19