Maintainer Role

Open colby-swandale opened this issue 7 months ago • 1 comments

What's this about?

RubyGems.org currently has a single implicit role assigned to everyone who is an owner of a given gem. This role lets any gem owner do any, and all, things to a gem without restriction, such as adding & removing other owners, publishing new versions, yanking versions etc. In recent years, a strong desire in the community as emerged for a role system to be introduced for groups & businesses to better align their organizational structure and reduce the impact blast of any potential account take over.

What this Pull Request introduces

This Pull Request adds the formal concept of a Owner & Maintainer role and what permissions are granted.
Adds a new field to Ownership that assigns a particular role for the that gem + owner relationship
Adds a new form to edit an existing ownership to allow user's roles to be updated (Owners or Maintainers cannot update their own Role).

What this Pull Request is not introducing

Fine grained access controls. Permissions & Roles will remain specified in source code and cannot be modified by users.

Technical Details

We've added a new field to the Ownership table that records the user's current role. Inside Rails this is mapped from a string, either maintainer or owner to a new mapped integer in Access which is the thing that's stored in Postgres.

This integer is then used to determine what level of access is granted inside the Rubygem policy.

Decisions made for this Pull Request

The blast radius of this change if things goes wrong is very big, worst case is we stop anyone from publishing new versions. So a priority on maintaining the status quo was put in place to guide this PR.

All existing ownerships will remain untouched with the same permissions they currently have.
The default role offered to users in our UI will remain as "Owner" the same role that was implicitly assigned.