Inedo Community Forums Forums
    • Recent
    • Tags
    • Popular
    • Login

    Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

    If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

    Permissions to all feeds Except one

    Scheduled Pinned Locked Moved Support
    7 Posts 3 Posters 23 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      Stephen.Schaff
      last edited by

      I have a user that I want to have permissions to all feeds except one (or maybe a few).

      I thought that the option of "Add Restriction" would allow me to setup an "All Feeds" permissions, and then a Restriction permission (in permissions systems, a deny usually overrides an allow).

      But it did not work as I had hoped. Here is what I did:

      • Picked a user that already has "Publish Packages" and "View & Download Packages" permissions to all feeds.
      • Ensure that this user does not have any admin or manage feed permissions (or any other permissions in any other permissions grouping)
      • Add a restriction for the user to one feed.
      • Opened the "Test Permissions" feature and entered the user and the feed.

      As I said, it did not change the permissions for the user. (They still had full publish and view permissions.)

      I am really hoping that I do not need to add each feed to my user. (As new feeds are added, keeping up with that will be tedious and error prone.)

      Is there a way to give a user access to all feeds except one or two?

      atrippA 1 Reply Last reply Reply Quote 0
      • atrippA Offline
        atripp inedo-engineer @Stephen.Schaff
        last edited by

        @Stephen-Schaff what was the restriction that you added? The "Publish Packages" and "View & Download Packages" tasks are made up of a collection of attributes, and those are what's tested. So you'd want to Restrict both of those.

        Restrictions override grants, but more a more-specific grant will override a less-specific deny. But in any case, a Grant at the system level, with a Deny at the feed level should accomplish what you're doing.

        If you can share a screenshot that might help us see it as well

        1 Reply Last reply Reply Quote 0
        • S Offline
          Stephen.Schaff
          last edited by Stephen.Schaff

          Here is a step by step repro of what I did:

          1. Add my user (SA9350001) as a Publisher and Viewer:
            bf21e521-05fb-45ed-aaab-a896d64009a1-image.png
            0149689c-1d3f-43fc-ba9c-2e100de078a5-image.png
          2. Test Permissions for my user:
            f1794238-0367-48a4-8b3a-86a8c3ef9da0-image.png
          3. Add a restriction for my user:
            bdb67f05-98fb-43bf-9e52-68922da4635e-image.png
          4. Ensure that the restriction was added:
            f623891a-2fe3-4f95-8721-eafc119285cc-image.png
          5. Check permissions again:
            bb6cf425-6867-4fbd-8943-54cbf0667150-image.png

          I would expect the Feeds_AddPackage to be removed from the list.

          NOTE: The only other spot that SA935001 appears on the Tasks screen is a Publish Packages grant for a feed called ESP-NPM. But as that is only on that one feed, I did not expect it to interfere with the deny.

          1 Reply Last reply Reply Quote 0
          • rhessingerR Offline
            rhessinger inedo-engineer
            last edited by

            Hi @Stephen-Schaff,

            I'm having a bit of trouble recreating this issue. Can you answer a few questions for me?

            • What version of ProGet are you running?
            • Is this installed on Windows or running in Docker?
            • Can you please attach a screenshot of the attribute of the Publish Packages task?
              • You can find this by navigating to _Administration -> Users & Tasks -> Tasks -> Customize Tasksand clike on thePublish Packages` task.

            Thanks,
            Rich

            Products Engineer, Inedo

            1 Reply Last reply Reply Quote 0
            • S Offline
              Stephen.Schaff
              last edited by

              @rhessinger thank you for looking into this for me.

              I am using ProGet Version 5.3.21 (Build 24).

              It is running on a Windows Virtual Machine.

              Here is the Publish Packages task:

              e723b3d7-41ac-4e87-9eb4-77c900162b7c-image.png

              Thanks again for your help!

              1 Reply Last reply Reply Quote 0
              • rhessingerR Offline
                rhessinger inedo-engineer
                last edited by

                Hi @Stephen-Schaff,

                The Publish Packages task should actually trump View & Download. When I test your steps, it shows me that the user has no effective permissions on the Base feed. To accomplish what you would like to do you should do the following:

                1. Create a new Custom Task (in the Customize Tasks). Call it Publish Only and give it the Add Package attribute.
                2. Add the user to publish on all feeds
                3. Restrict Publish only on the Base feed

                That should give you the publish restriction you are looking for. Can you please give that a try and let me know if that works?

                Thanks,
                Rich

                Products Engineer, Inedo

                1 Reply Last reply Reply Quote 0
                • S Offline
                  Stephen.Schaff
                  last edited by

                  I think I have an idea of what is happening here. I think that this issue is actually caused by my other open issue: https://forums.inedo.com/topic/3164/user-seen-as-a-group

                  I noticed that when I am adding any service account user, it is added as a group instead of a user. Actual users do not have this issue. In fact if you look at step 4 in my reply on Feb 12th, you will see that the restriction added shows the user as a group (purple background).

                  Lets suspend this issue until the we have figured out the issue with users being added as groups.

                  1 Reply Last reply Reply Quote 0

                  Hello! It looks like you're interested in this conversation, but you don't have an account yet.

                  Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

                  With your input, this post could be even better 💗

                  Register Login
                  • 1 / 1
                  • First post
                    Last post
                  Inedo Website Home • Support Home • Code of Conduct • Forums Guide • Documentation