feat: add organization setting to restrict project-scoped contracts #2602
Conversation
| var projectID *uuid.UUID | ||
| if req.ProjectReference.IsSet() { | ||
| // Check if organization prevents project-scoped contracts | ||
| if org.PreventProjectScopedContracts { |
There was a problem hiding this comment.
is this the only place a contract is created? can you check during attestation init?
There was a problem hiding this comment.
We need to double check that a contract can only be created on-demand from this use case. I remember it was also created during a workflow creation, or attestation init.
Would you mind posting there an evaluation of those entrypoints and how this feature will work with the other preventWorkflowCreation feature?
There was a problem hiding this comment.
I don't think this is what we want. What we want is to only allow administrators to create contracts if this setting is set
|
also, what's the use-case here? Can anybody create project contracts? can admins do it? |
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
|
Updated with what have discussed.
We could also restrict creation of the default contract that is created when no contract was specified in workflow creation, but is that desired behavior? |
I think so yes The idea of this feature is to prevent contract sprawl, and the main source of sprawl is the attestation process. |
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
Alright, added validation to |
Thanks Does it work in |
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
Yes, there shouldn't be any other remaining cases |
| } | ||
|
|
||
| if !membership.Role.IsAdmin() { | ||
| return nil, errors.Forbidden("forbidden", "only organization admins can create contracts") |
There was a problem hiding this comment.
can we make sure the error is cleaner and consistent with what we did in this other check? #2527
ERR creating workflows during the attestation process is disabled for this organization. Please create them in advance or contact your administrator
There was a problem hiding this comment.
Updated direct creation (e.g. wf contract create) to
ERR contract creation is restricted to organization administrators. Please contact your administrator
And indirect creation (e.g. att with --contract flag or wf create) to
ERR contract creation is restricted to organization administrators. Please use existing contracts or contact your administrator
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
| createOpts.Owner = &userID | ||
|
|
||
| // Check if user is an org admin | ||
| membership, err := s.userUseCase.MembershipInOrg(ctx, user.ID, org.Name) |
There was a problem hiding this comment.
I think this roles are already in the membership
There was a problem hiding this comment.
Moved it to a helper that uses context instead of db query
migmartri
left a comment
migmartri
left a comment
There was a problem hiding this comment.
See my comment about reusing the memberships
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
| } | ||
|
|
||
| // isUserOrgAdmin checks if the current user is an org admin or owner | ||
| func isUserOrgAdmin(ctx context.Context, orgUUID uuid.UUID) bool { |
There was a problem hiding this comment.
could you confirm we don't have this already?
There was a problem hiding this comment.
We don't but I found another helper to simplify it even further
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
3 participants
This PR adds a new organization-level setting that allows administrators to restrict contract creation to be only available for organization admins, preventing their creation by org members and project admins.
When setting is enabled and non-admin user tries to run
att initwithout specifying contract an error is returned: