warehouse icon indicating copy to clipboard operation
warehouse copied to clipboard

Published 20 hours ago verified publisher icon pypi

Don't remove role of user transferring to org

Open di opened this issue 2 years ago • 7 comments

Fixes #13558, originally reported in #12423.

di avatar Aug 30 '23 16:08 di

I'm not sure I want to approve this as is. It seems that on revisiting that the second issue reported that people with non-Owner organization roles were being impacted, which is unexpected.

For Organization Owners performing the transfer, we should still relinquish the direct Owner Role on the project.

ewdurbin avatar Aug 30 '23 16:08 ewdurbin

This just happened to me on https://pypi.org/admin/projects/pip-audit/: I had the Owner role, I transferred it to the pypa org, I lost the Owner role on the project.

I think the overall issue is what @webknjaz mentioned in https://github.com/pypi/warehouse/issues/13558#issuecomment-1634813681 is that this removes the transferring user as a "Collaborator" on the public project page, which is unexpected and seems to be generally undesirable.

di avatar Aug 30 '23 16:08 di

For Organization Owners performing the transfer, we should still relinquish the direct Owner Role on the project.

I guess what's unclear to me is if this is the case (and I'm still not sure I agree), why do we only remove the user that made the transfer? Why don't we remove all project owners who are also organization owners? What's special about that one user that they should lose the role?

di avatar Aug 30 '23 16:08 di

Why don't we remove all project owners who are also organization owners?

We probably should. The goal is to map user permissions as directly as possible without surprising results (we're failing at that!) without leaving a bunch of vestigial relations which would also be unexpected.

ewdurbin avatar Aug 30 '23 16:08 ewdurbin

It sounds like there are two separate concerns here also. One around permissions and the other around presentation?

ewdurbin avatar Aug 30 '23 16:08 ewdurbin

I think if we also include all organization owners in the public list of collaborators, that would potentially resolve this, but I think there's also an issue of a project trying to determine who has the owner role, since they might not have the ability to see who all organization owners are.

Also, in the case of a transfer out of an organization, what would we expect to happen here? All organization owners become project owners?

di avatar Aug 30 '23 16:08 di

I think the other thing that is tripping me (and probably others) up is that this is subtly different than the very familiar permissions model used by GitHub when transferring repo ownership: AFAIK, transferring a repo doesn't affect the presence of any existing roles.

di avatar Aug 30 '23 17:08 di