Details
-
Suggestion
-
Resolution: Unresolved
Description
The FishEye repos are only visible (i.e. returned by getRepositories()) when the current principal has access to it. However, the repositories provided through plugin (light) scm modules are always returned, even to anonymous users.
The SCMRepository interface has an isAvailable(Principal) method that is poorly documented. We currently just include the return value in the RepositoryData instance that is returned through the API, but it's not used for access control. What's the intended use for this method? Is it to allow plugin writers to restrictively allow access to repos? If so, we should enforce it in the api and document it as such. If not (after all, shouldn't access control be handed by Crucible itself?), then why pass the Principal to isAvailable()?