Bug 807616 - RFE: Read-only checkout of a project
RFE: Read-only checkout of a project
Product: PressGang CCMS
Classification: Community
Component: CSProcessor (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Lee Newson
Depends On:
  Show dependency treegraph
Reported: 2012-03-28 06:45 EDT by Joshua Wulf
Modified: 2014-10-19 19:00 EDT (History)
2 users (show)

See Also:
Fixed In Version: 0.23.0
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-06-06 21:30:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Joshua Wulf 2012-03-28 06:45:39 EDT
Can we get a read-only checkout of a project. 

This will be useful for tutorials, and for investigating without inadvertently changing something.

The lowest hanging fruit might be simply to do something like:

csprocessor export <SPECID>

and it does a csprocessor checkout, only it also writes:

ACCESS: readonly

in the csprocessor.cfg file.

Then whenever the user runs 

csprocessor push

If the csprocessor.cfg contains "ACCESS: readonly" then it declines and says: "Project is read-only".

This would make the tutorials a lot safer. Especially since tutorials are going to be executed by people who don't know what they are doing, the last thing we need is people continually overwriting the demo material by accidentally pushing a read-only tutorial back to the server.

That would be a maintenance/administration nightmare for me, and would make the tutorials useless for people if the content specs they rely on are broken.
Comment 2 Lee Newson 2012-03-28 19:47:23 EDT
While I do agree that a read only ability is a good idea. Putting it as plain text like that in the csprocessor.cfg seems like a bad design pattern because its far too easy to change. Also as another example what if the user does csprocessor push <FILE> then that breaks the given example.

The best solution would be to have a property server sided that specifies who or what role can modify the content specification. That however is part of the authentication mechanisms which have yet to be done and won't be until Skynet gets it's sorted out.

So possibly for a temporary solution the ACCESS: readonly will do. Another possibility is to add a Property Tag in Skynet that defines the CSP is readonly and can only be altered by the creator (or possibly a list of users who are permitted). The issue with this is that the property tag can easily be removed in Skynet.
Comment 3 Joshua Wulf 2012-03-28 20:36:55 EDT
Yes, I concur with all your observations. Real security is still some way off.

This RFE is less about "preventing deliberate circumvention" than it is about "protecting new users from inadvertent mistakes by pressing the wrong button".

Making the tutorial content specs read-only with a server-side flag would protect them nicely. 

An export command that set a client-side "readonly" switch would enable people to check out various projects and build them for previewing purposes, and protect them from accidentally pushing them (for example by executing the push command in the wrong terminal window).
Comment 4 Lee Newson 2012-04-15 20:26:17 EDT
Added the basic implementation in 0.23.0.

There is a Property Tag called "CSP Read Only" setup in skynet. To use it add the property to the Content Spec that you want as read only. To specify users that can edit it set the value of the property to include a comma separated list of users.

eg: lnewson,jwulf,mcaspers

See: http://skynet.usersys.redhat.com:8080/TopicIndex/Topic.seam?topicTopicId=7272 for an example

Then when you attempt to validate or push the content specification you will get the following error message "ERROR: Invalid Content Specification! The content specification is read-only."
Comment 5 Joshua Wulf 2012-04-15 21:05:11 EDT
1. Find your Content Spec in the web interface. Click on "Edit and Tag" in the context menu.
2. Go to the Properties Tab.
3. In the Properties Name tab, drop down the combo box and select "- CSP Read Only"
4. Optionally: add a comma-separated list of usernames of users who will be able to edit the Content Spec, in the "Value" field.
5. Click the "Add" button.
6. Click the "Update" button.
Comment 6 Lee Newson 2013-06-06 21:30:32 EDT
Closing and setting as current release as no QA was performed by the original reporter. If there is still an issue with this bug still than please re-open it.

Note You need to log in before you can comment on or make changes to this bug.