Require 2 admin signoffs for changes to permissions
#2194
Assignees
Labels
admin
admin app & api (aus4-admin.mozilla.org)
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently, we calculate the signoffs required for changes to permissions by taking the full set of all product signoffs (
balrog/src/auslib/db.py
Line 2658 in 3ed6b80
We should adjust this to require just two signoffs in total. Ideally, it would require them from a full fledged
admin(ie: hasadminpermission without any conditions attached). If this ends up being too difficult (it my - because it moves us from looking at "roles" when checking signoffs to looking at "permissions" -- it also may complicate the UI) -- we could consider hardcoding 2 "releng" signoffs instead. We'd have to evaluate potential security issues before going that route - most importantly, we need to make sure that nobody currently has that role that shouldn't, and cannot be granted it by anybody other than a full fledged admin.The text was updated successfully, but these errors were encountered: