Maintainer Role

[colby-swandale]

What's this about?

RubyGems.org currently has a single implicit role assigned to everyone who is an owner of a given gem. This role lets any gem owner do any, and all, things to a gem without restriction, such as adding & removing other owners, publishing new versions, yanking versions etc. In recent years, a strong desire in the community as emerged for a role system to be introduced for groups & businesses to better align their organizational structure and reduce the impact blast of any potential account take over.

What this Pull Request introduces

• This Pull Request adds the formal concept of a Owner & Maintainer role and what permissions are granted.
• Adds a new field to Ownership that assigns a particular role for the that gem + owner relationship
• Adds a new form to edit an existing ownership to allow user's roles to be updated (Owners or Maintainers cannot update their own Role).

What this Pull Request is not introducing

• Fine grained access controls. Permissions & Roles will remain specified in source code and cannot be modified by users.

Technical Details

We've added a new field to the Ownership table that records the user's current role. Inside Rails this is mapped from a string, either maintainer or owner to a new mapped integer in Access which is the thing that's stored in Postgres.

This integer is then used to determine what level of access is granted inside the Rubygem policy.

Decisions made for this Pull Request

The blast radius of this change if things goes wrong is very big, worst case is we stop anyone from publishing new versions. So a priority on maintaining the status quo was put in place to guide this PR.

• All existing ownerships will remain untouched with the same permissions they currently have.
• The default role offered to users in our UI will remain as "Owner" the same role that was implicitly assigned.

Owner vs Maintainer

	Owner	Maintainer
Manage Owners	✅	❌
Publish Version	✅	✅
Yank Version	✅	✅
Manage Adoptions	✅	❌
Manage Trusted Publishing	✅	❌

Screenshots

Viewing current owners and their role

Updating a user's role

User notification of their role being updated

[codecov]

Codecov Report

Attention: Patch coverage is 97.79412% with 3 lines in your changes missing coverage. Please review.

Project coverage is 96.97%. Comparing base (ea8688c) to head (fc63946).
Report is 7 commits behind head on master.

Files with missing lines	Patch %	Lines
app/policies/organization_policy.rb	88.88%	3 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #4883      +/-   ##
==========================================
+ Coverage   96.95%   96.97%   +0.01%     
==========================================
  Files         421      424       +3     
  Lines        8777     8892     +115     
==========================================
+ Hits         8510     8623     +113     
- Misses        267      269       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[martinemde]

I think it looks good, I need to finish reading through the tests so I'll approve when I'm done, but wanted to get these comments in.

[martinemde]

I reviewed changes since last time. Looks good.