Is it possible to prevent certain group of users in Gitea to merge pull requests?
I tried creating two groups - "Power Devs" and "Simple Devs". I gave the "Power Devs" group Write permissions for "Pull Requests" and the "Simple Devs" group only Read permission.
Unexpectedly for me, a user in the "Simple Devs" group was still able to merge a pull request.
Reading from the documentation, I learned that the permission enables the users to "View pull requests and create new pull requests." Apparently, anyone can merge them.
Is there any way to disable merging pull requests for a certain group of users?
Related
In a scenario where new record was created and attached to a new tab on the item record.
I would like to give all roles ability to read data from it, but only few specific roles should be able to edit.
Setting Access type to 'no permissions' would give all ability to change the content.
Setting to 'permission list' would require adding a list of 100+ different roles, and continuous maintenance when new role is added
I tried setting it to no permissions, and then having workflow return error if wrong roles tries to edit it, but it doesn't work for inline editing.
The reason why every or at least vast majority of roles needs to be able to read this, is because we have a Client Script running for multiple transaction types (SO,PO, Opportunity etc). And said script will do its logic based on that custom record. Since Client Script are run based on the current user permission, it will throw an error if user has no specific access to that record.
I would appreciate any type of advice how to handle such scenario, either by permission configuration or running the search as different role in a Client Script.
We've structured our environment such that the main approval in ADO exists at the master branch policy level, where a 2nd user must approve the pull request prior to merging to the master branch. From there it's mostly automated testing, and approvals in ServiceNow. To help address SOD concerns, we're wondering if you had insight into either of the following:
Is there any history for master branch policy changes? We've seen the pipeline approval history before, but I'm not sure if there's anything similar that tracks changes to the policy configurations.
Is there any reporting out of ADO that would show a population of merges and include the owner of the change and the approver? The thought being that this could be used to ensure no one merged their own code without independent approval.
Is there any history for master branch policy changes?
Yes, while there isn't something like a History tab available for Branch policies, there are Audit events you can access and consume from the Auditing tab in the Organization Settings page. Auditing for Azure Repos events was announced around the July 2019 timeframe.
The auditing page provides a simple view into the audit events recorded for your organization. This data is also available to export in a CSV or JSON format. The Policy area covers the changes made to branch policies. You can view events for policies when they are created, removed, modified, or bypassed.
Here is an example of what that looks like:
Clicking on the i button available for each event will also give you more details about the exact change that was made, for example, changing the minimum approver count from 2 to 3.
Is there any reporting out of ADO that would show a population of merges and include the owner of the change and the approver? The thought being that this could be used to ensure no one merged their own code without independent approval.
There's an even better option. :) If you intend to enforce this, you should do it with a branch policy rather than a report:
While configuring the Require a minimum number of reviewers branch policy, you can ensure this with the following options:
If Allow requestors to approve their own changes is selected, the creator of the pull request may vote on its approval. If not, they can still vote Approve on their pull request, but their vote won't count toward the Minimum number of reviewers.
By default, anyone with push permissions on the source branch may both add commits and vote on the pull request's approval. By enabling Prohibit the most recent pusher from approving their own changes, you can enforce segregation of duties - having the most recent push automatically makes the pusher's vote not count.
Hope this addresses your requirement.
References:
Access, export, and filter audit logs
Improve code quality with branch policies
Would it be possible to restrict developers not to create a branch in gitlab? Only Owner or Maintainer should create.
Any help would be appreciated.
You should be able to using protected branches.
Go to Settings -> Repository, and navigate to Protected Branches.
You can then create a wildcard to protect all branches, and only allow Maintainers or Owners to push/merge.
After a lot of internet searching, I don't think you can stop specific users from creating new branches. Although, most of the suggestions given to accomplish some sort of control is to use protected branches.
Most suggestions along this route tell you to restrict branch creation for individuals with the "Developer" role, while allowing those with "Maintainer" role to continue creating branches on GitLab.
But, my use case desires the ability to restrict only some of the users with "Developer" access. My team is quite large, and I only want to restrict a small percentage of them from creating branches. I don't want to have to make the majority of my developers into "Maintainers" just to accomplish this restriction. Thus, I believe that restricting branch creation by individual user is not possible with GitLab at this time.
I've a requirement, where I need to add a few users from the UI. I'm working with "developer" access to the project in GitLab. Even if already a few users are added with different access while the project is created and only users added from the UI to perform developer role without making any changes in the project.
Is it possible and how to implement it?
"Overwriting" permissions is not possible and if you want to simulate this behavior you could create a new group and share this project with another group. Then you would need to deny access to individual group members. See this permission matrix.
I would like to enable a group of users to fork any repo from a GitLab group and subsequently send PR's to repos in that GitLab group but not be able to push to repos in that GitLab group.
Is this possible using one of the standard access levels; Guest/Reporter/Developer ?
You can set yourself as the only one with write access:
That way, many people can send pull requests to your branch, but only you can merge them.
Turns out that the 'Reporter' access level does exactly what I need.
What I did was;
Grant one user group Owner access to the repo group (the release managers in my context)
Grant another user group Reporter access to the repo group (the feature devs)
The release managers now have full access, the feature devs can fork and send PR's (merge requests in GL vocab).