OBS requires admin access to modify DoD project’s configuration
Audience
As a user of OBS, I want to be able to configure DoD projects (when given maintainer’s access to) without having to resort to admin privileges as this leads to difficulties with managing access to the admin account and poses security risks.
Background
$ osc meta prjconf -e Debian:Bookworm:main
Sending meta data...
BuildService API error: update_project_not_authorized (403)
You are not authorized to update this Project.
This is due to the following code in ProjectPolicy
:
def update?
return false unless user
return false unless local_project_and_allowed_to_create_package_in?
# The ordering is important because of the lock status check
return true if user.is_admin?
return false unless user.can_modify?(record, true)
# Regular users are not allowed to modify projects with remote references
no_remote_instance_defined_and_has_not_remote_repositories?
end
This is inconvenient. We need to investigate the reason behind this and, if feasible, propose a change and submit it upstream.