Enforce configuration of roles in Weblate
I haven't followed previous discussion about this, but there's the idea of enforcing configuration of Weblate roles (as defined in the design doc) through configuration management using Puppet.
- Anonymous users can suggest.
- Logged in users can suggest and vote on suggestions.
- Reviewers can accept suggestions.
The Puppet code created for this might need to be updated when weblate/django's API changes.
Can someone share some background on this discussion? Was it thought to protect against a specific kind of attack or bug?
@hefee, does this issue capture what we wrote down as "puppetize auth model"?
yes this sounds what I had in mind in regards of "puppetize auth model".
What I have in mind with puppetize is any script that is shipped via puppet and is executed regularly like a cronjob.
#8 Updated by zen about 1 month ago
The current proposed fix for this uses a yaml file to store the desired roles. This yaml file was generated from our current setup. We have to review these roles to make sure they match what we want, and we may also want to remove any roles that Weblate creates but are unneeded for us.
- Status changed from Needs Validation to In Progress
- Assignee changed from zen to hefee
I have fixed a small typ0 and merged the script as is, to test it. I think it's a good start but still needs some work:
- Should we check for unexpected Roles? (i.e. roles not in ACL but that exist in Weblate)
- Same question for Groups.
- How about we list exactly which Permissions are missing or should not exist for each Role?
- Same question for Groups and Roles.
- Looks like any user in a Group not listed in the ACL will trigger a warning. I think there's something wrong there.
- In the future, it'd be great to be able to list superusers and reviewers in the ACL and have this script configure them automatically.
After looking at the script, I don't have the fear that this will break in the future, for that if it breaks it shouldn't be hard to fix, and I wouldn't expect it to cause much trouble (i.e. give wrong permissions to wrong users).
So I think we can improve the script incrementally until it can actually configure/enfoce the ACL by itself.