Page MenuHomePhabricator
Create Task
Maniphest T8611

When Diffusion's "Can Create Repositories" application setting is "All Users," users still can't create repositories
Closed, WontfixPublic
Actions

Description

System info:

Steps:

  1. From Applications, open Diffusion's application settings [is it just me, or is the gear icon rendering as a paw print?]
  2. Edit Policies
    • change "Can Create Repositories" to "All Users"
    • leave "Default Edit Policy" on its default value ("Administrators," right?)
  3. Save Policies
  4. As a non-admin user, go to Diffusion and try to create a new hosted repository
    • Of course, when selecting access policies for the repository, set "Editable By" to something that includes yourself. Otherwise, the page won't let you proceed.
    • Once you're past the access policies page, select "Create Repository Now" or "Configure More Options First," it doesn't matter which. The finish line is so close! You're almost there! Click Save.

What happens:

The repository is not created, and you get an error:

You Shall Not Pass: Unknown Object (VOID)
You do not have permission to edit this object.

Users with the "Can Edit" capability:

  • Administrators can take this action.

What should happen:

Actually, I'm not sure. It depends on what "Default Edit Policy" means.

  • Does "Default Edit Policy" simply specify which value is the default/preselected on the "Select access policies for this repository" page of the Create Repository workflow?
    • If so, there might be a bug. Currently, whatever you set as the "Default Edit Policy" is what's preselected during the Create workflow, as expected. However, even if the user changes it to "All Users," he still can't create the repository if he's not included in "Default Edit Policy."
  • Or is "Default Edit Policy" a real policy that's applied to repository objects?
    • If so, then I think everything is working as intended; it's just not very obvious. When I was looking at the Diffusion application settings page for the first time, my intuition was that setting "Can Create Repositories" to "All Users" would be all it took to allow any user to create a repository. It would probably suffice to provide instructions on that page (something like "Default Edit Policy should be at least as permissive as Can Create Repositories"), or perform the same kind of policy sanity checks that are done during the Create workflow.

Also see T4242, which has a similar description, and which was resolved by moving the policy step into the Create workflow. In my case, however, the workflow fails at the end regardless of what the user selects in the policy step.

Related Objects

Event Timeline

ephemeris created this task.Jun 18 2015, 10:21 PM
ephemeris raised the priority of this task from to Needs Triage.
ephemeris updated the task description. (Show Details)
ephemeris added a subscriber: ephemeris.
ephemeris added a comment.Jun 18 2015, 11:47 PM

Hmm... Do https://secure.phabricator.com/chatlog/channel/6/?at=152610 and the "Original Problem" in the description of T6860 apply here as well?

avivey added a subscriber: avivey.EditedJun 23 2015, 10:00 PM

I think the same issues can be seen in Maniphest:

set "Can Edit Task Status" to "No One" and everything else to "all users", and then task creation is blocked, presumably because the user can't set the initial value.

avivey added a comment.Jun 23 2015, 10:39 PM

(I did my tests at rP984976c)

eadler added a subscriber: eadler.Jul 6 2015, 3:05 AM
chad added a project: Policy.Jul 6 2015, 3:34 AM
chad added a subscriber: chad.Jul 6 2015, 3:38 AM

Yeah, I think this is sort of confusing, my understanding is:

Default Edit Policy: This is edit policy applied to an object after it's created.
Can Create Policy: Who can create objects.

That means you can have "Object Creators" and "Object Editors" and they're separate groups of people. And more specifically, the creators, if not part of "Object Editors", can't edit the object they created. Mostly, these should be set to the same group ("All Users").

epriestley mentioned this in T10748: Implement `diffusion.repository.edit`, for creating and editing repositories via the API.Apr 27 2016, 10:51 PM
epriestley mentioned this in T10923: Diffusion API/URI Errata.May 4 2016, 11:45 PM
epriestley closed this task as Wontfix.May 9 2016, 11:31 PM
epriestley claimed this task.
epriestley added a subscriber: epriestley.

I think there were some bugs in the past that have now been resolved, but I'm not planning to fix the root of this, which is that you can not create repositories if the default "Edit Policy" excludes you, even if you have permission to create them according to "Can Create Repositories".

As of writing, the error you get is this:

Screen Shot 2016-05-09 at 4.26.46 PM.png (1×1 px, 155 KB)

Since you can't change the policy on this screen, there's no way to continue.

If this screen did include an "Edit Policy" control, you would be able to select a different (less restrictive) policy and continue, but I've intentionally omitted it from this screen to simplify the flow.

(If you use the API instead, you can create repositories, because you can specify a new edit policy in your initial transaction group.)

I think this use case is very rare, and I haven't seen other users encountering confusion in about a year, as far as I can recall. This may be resolved indirectly through EditEngine changes in the future via T6722.

stephane.chazelas mentioned this in T11173: User unable to create repository if not in the "Default Edit Policy" of Diffusion Application.May 12 2017, 1:43 PM
Phabricator · Built by Phacility