Page MenuHomePhabricator

It should be possible to view a repository's policies without necessarily being able to edit it
Closed, DuplicatePublic


As far as I can tell at the moment, the only way to see the push policy is to go to the edit page, which will usually be more restricted than the visibility policy of the repository. I suspect there is some other stuff on that edit page that the same applies to.

Event Timeline

Krenair raised the priority of this task from to Needs Triage.
Krenair updated the task description. (Show Details)
Krenair added a project: Diffusion.
Krenair added a subscriber: Krenair.
epriestley edited projects, added Diffusion (v3); removed Diffusion.

Yeah, I think the existing "Edit" page should really be more like the "Manage" page in Projects that anyone who can see the repository can see.

The page is currently restricted because the "errors" section (particularly historically) can contain somewhat-sensitive information (paths, HTTP passwords, arbitrary HTTP content in Mercurial usable in SSRF attacks prior to D12170). But we can separate this out into an "errors" page, say "hey there is an error, click here to see it if you have permission", and let normal users see everything else.

T10337 has some similar discussion about the future of this interface, more from an administrator viewpoint.

I'm going to merge this into T10748 because that's clearly the pathway forward now. You can view the new UI at /diffusion/X/manage/, although it mostly doesn't work yet and there are no links to it in the UI.

I made the "errors" section conditional on being able to edit the repository. Everything else only requires permission to view the repository.

Once this UI is ready, "Edit Repository" will take you to it instead, with appropriate permissions and a label more like "Manage Repository" or similar.