Bug #5192

[API] Disallow changing the name of a repository record (by non-admin users)

Added by Peter Amstutz almost 6 years ago. Updated almost 6 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Radhika Chippada
Category:
API
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Story points:
0.5

Description

Currently, a regular user can rename a repository, but the new name will resolve to a new empty repository: the content of the existing repository does not move with the name (but you can go back to the old content by renaming the repository record again).

Short term fix is to disallow changing the name attribute of a repository unless current_user.andand.is_admin.

Longer term fix is #4253.


Related issues

Related to Arvados - Feature #4253: [API] Users can create their own arvados-hosted git repositoriesResolved10/17/2014

Related to Arvados - Bug #5190: [Workbench] Tell admins not to put hyphens in repository namesResolved03/08/2015

History

#1 Updated by Peter Amstutz almost 6 years ago

  • Subject changed from [API] Renaming repository results in gitolite creating a new repository to [API] Renaming repository results in a new repository
  • Description updated (diff)

#2 Updated by Peter Amstutz almost 6 years ago

  • Description updated (diff)

#3 Updated by Tom Clegg almost 6 years ago

  • Target version changed from Bug Triage to 2015-03-11 sprint

#4 Updated by Ward Vandewege almost 6 years ago

  • Story points set to 0.5

#5 Updated by Tom Clegg almost 6 years ago

  • Subject changed from [API] Renaming repository results in a new repository to [API] Disallow changing the name of a repository record
  • Description updated (diff)
  • Category set to API
  • Story points deleted (0.5)

#6 Updated by Tom Clegg almost 6 years ago

  • Story points set to 0.5

#7 Updated by Radhika Chippada almost 6 years ago

  • Assigned To set to Radhika Chippada

#8 Updated by Radhika Chippada almost 6 years ago

  • Status changed from New to In Progress

#9 Updated by Radhika Chippada almost 6 years ago

  • Subject changed from [API] Disallow changing the name of a repository record to [API] Disallow changing the name of a repository record (by non-admin users)
  • Status changed from In Progress to Resolved

Both API and Workbench already disallow a non-admin user from changing a repository name.

  • API: repository.rb -> permission_to_update method allows only admin user to update a repository. A unit test "active user cannot change repo name via can_manage permission" exists in api/test/unit/permission_test.rb
  • Workbench: Workbench hides the "Attributes" tab from non-admin users. In addition, repository.rb -> editable_attributes returns an empty array for non-admin users and allows only admin users to update the object.

Also available in: Atom PDF