Permissions to all feeds Except one

Stephen.Schaff

I have a user that I want to have permissions to all feeds except one (or maybe a few).

I thought that the option of "Add Restriction" would allow me to setup an "All Feeds" permissions, and then a Restriction permission (in permissions systems, a deny usually overrides an allow).

But it did not work as I had hoped. Here is what I did:

Picked a user that already has "Publish Packages" and "View & Download Packages" permissions to all feeds.
Ensure that this user does not have any admin or manage feed permissions (or any other permissions in any other permissions grouping)
Add a restriction for the user to one feed.
Opened the "Test Permissions" feature and entered the user and the feed.

As I said, it did not change the permissions for the user. (They still had full publish and view permissions.)

I am really hoping that I do not need to add each feed to my user. (As new feeds are added, keeping up with that will be tedious and error prone.)

Is there a way to give a user access to all feeds except one or two?

atripp

@Stephen-Schaff what was the restriction that you added? The "Publish Packages" and "View & Download Packages" tasks are made up of a collection of attributes, and those are what's tested. So you'd want to Restrict both of those.

Restrictions override grants, but more a more-specific grant will override a less-specific deny. But in any case, a Grant at the system level, with a Deny at the feed level should accomplish what you're doing.

If you can share a screenshot that might help us see it as well

Stephen.Schaff

Here is a step by step repro of what I did:

Add my user (SA9350001) as a Publisher and Viewer:
Test Permissions for my user:
Add a restriction for my user:
Ensure that the restriction was added:
Check permissions again:

I would expect the Feeds_AddPackage to be removed from the list.

NOTE: The only other spot that SA935001 appears on the Tasks screen is a Publish Packages grant for a feed called ESP-NPM. But as that is only on that one feed, I did not expect it to interfere with the deny.

rhessinger

Hi @Stephen-Schaff,

I'm having a bit of trouble recreating this issue. Can you answer a few questions for me?

What version of ProGet are you running?
Is this installed on Windows or running in Docker?
Can you please attach a screenshot of the attribute of the Publish Packages task?
- You can find this by navigating to _Administration -> Users & Tasks -> Tasks -> Customize Tasksand clike on thePublish Packages` task.

Thanks,
Rich

Stephen.Schaff

@rhessinger thank you for looking into this for me.

I am using ProGet Version 5.3.21 (Build 24).

It is running on a Windows Virtual Machine.

Here is the Publish Packages task:

Thanks again for your help!

rhessinger

Hi @Stephen-Schaff,

The Publish Packages task should actually trump View & Download. When I test your steps, it shows me that the user has no effective permissions on the Base feed. To accomplish what you would like to do you should do the following:

Create a new Custom Task (in the Customize Tasks). Call it Publish Only and give it the Add Package attribute.
Add the user to publish on all feeds
Restrict Publish only on the Base feed

That should give you the publish restriction you are looking for. Can you please give that a try and let me know if that works?

Thanks,
Rich

Stephen.Schaff

I think I have an idea of what is happening here. I think that this issue is actually caused by my other open issue: https://forums.inedo.com/topic/3164/user-seen-as-a-group

I noticed that when I am adding any service account user, it is added as a group instead of a user. Actual users do not have this issue. In fact if you look at step 4 in my reply on Feb 12th, you will see that the restriction added shows the user as a group (purple background).

Lets suspend this issue until the we have figured out the issue with users being added as groups.