Now there doesn't seem to be any way of controlling who can reassign whose identities. There probably should be, as for testing purposes I was able to reassign other person's identity to myself, and I probably shouldn't be able to do that. This could have some security implications, even though I can't imagine any severe ones at the moment, apart from misleading people.
Description
Description
Related Objects
Related Objects
Event Timeline
Comment Actions
Uh thanks. Interesting. Yeah probably with considerations under Security probably.
Now probably the "can push" is bland in we.phorge.it, since Herald blocks commits.
It's possible that, at the moment, the identities can be edited by people who can push in the repository. But, they identities probably should be editable only for:
- people who can edit the repository (people who administer it)
- you, if the email matches yours (since you somehow pushed in the repository)
Comment Actions
But, they identities probably should be editable only for:
- people who can edit the repository (people who administer it)
- you, if the email matches yours (since you somehow pushed in the repository)
That seems about right, but the first bullet is not currently applicable — identities seem to be global, not repository-scoped. This probably means that only administrators should be able to edit those.
Comment Actions
It turns out that this is a duplicate:
T15443: Add Diffusion policy capability "Can Edit and View Identities"