Warehouse: Create "Moderator" level User and corresponding permissions

Created on 16 May 2018  路  14Comments  路  Source: pypa/warehouse

Currently on PyPI, we have two types of users:

  • regular users
  • administrators (for which User.is_superuser is true)
  • (There is also a field User.is_staff but I believe it's unused).

It'd be great to add an intermediate level of user, "Moderator", which has the ability to do the following:

  • view all the existing /admin views (but read-only)
  • set upload limits
  • add classifiers
  • etc

The "Moderator" user should not be able to:

  • change emails (including verified or active status)
  • delete projects
  • nuke users

(cc @99)

feature request
Source
picture di

All 14 comments

The User.is_staff field comes from when I was attempting to port Warehouse to Django, and I do believe it is entirely unused.

One thing that might also be useful (although could come at a later time too!) is the ability to do things like request a delete of a project (or a nuke of a user etc), and then have the admins be able to deny or approve that request. That allows them to structurally make recommendations to the admins, and the admins to still have the final say. It also allows us to provide a path towards moderators becoming admins (if they desire) since we can easily look and go "hey, every time this person makes a recommendation we end up following up, maybe we just want to promote them".

dstufft picture dstufft on 16 May 2018

Agreed. I think the steps to address this, roughly broken up by PRs, would be:

  • Add a new field/migration to the User model, as well as corresponding UI in /admin for administrators to toggle this flag for users;
  • Add ACLs for various /admin POST endpoints, as well as conditionals in the HTML templates to hide actions that are not enabled for moderators, and to make fields not appear editable;
  • Add back these actions as "request/recommendation" actions that get raised to administrators. This could piggyback on the system we use for #3896.
di picture di on 16 May 2018

Yea, that seems like a great path forward.

dstufft picture dstufft on 16 May 2018

I am going to start working on this. I have the first part complete (add new field and migration as well as adding is_moderator as settable in admin UIs) https://github.com/pypa/warehouse/pull/5249/files

crwilcox picture crwilcox on 4 Jan 2019

@di @dstufft I am moving on to Add ACLs for various /admin POST endpoints, as well as conditionals in the HTML templates to hide actions that are not enabled for moderators, and to make fields not appear editable;

Do you have a starting list of activities you would like to allow moderators to do? For instance, should moderators be able to mark other users as having a verified email?

crwilcox picture crwilcox on 5 Jan 2019

@crwilcox See the issue body:

view all the existing /admin views (but read-only)
set upload limits
add classifiers

di picture di on 5 Jan 2019
👍1

5249 is merged, we can now set users as moderators.

@jamadden @yeraydiazdiaz Would you like to be moderators?

di picture di on 25 Jan 2019
🎉1

That鈥檚 a yes for me, thanks 鈽猴笍

yeraydiazdiaz picture yeraydiazdiaz on 25 Jan 2019

@theacodes volunteered if you want additional moderators.

crwilcox picture crwilcox on 25 Jan 2019

I volunteer too, if you need more eyes and hands on deck. :)

pradyunsg picture pradyunsg on 26 Jan 2019

Yes, please. And thank you.

jamadden picture jamadden on 26 Jan 2019

@ewdurbin I got your Slack invite, thank you. Would it be possible to switch it to the alternate address for my PyPI account?

jamadden picture jamadden on 28 Jan 2019

absolutely. will do.

ewdurbin picture ewdurbin on 28 Jan 2019

Hey, we have moderators now! Closing this.

di picture di on 25 Mar 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

toddrme2178 picture toddrme2178  路  3Comments
mahmoud picture mahmoud  路  4Comments
apogoreliy picture apogoreliy  路  4Comments
nlhkabu picture nlhkabu  路  4Comments
ruohoruotsi picture ruohoruotsi  路  3Comments