MokoConsulting/MokoGitea-APP
1
0
Fork 0
Code Issues 158 Pull Requests 5 Releases 96 Wiki Activity

feat: granular role-based permissions for all features #9

New Issue
Open
opened 2026-05-08 04:39:16 +00:00 by jmiller · 2 comments
jmiller commented 2026-05-08 04:39:16 +00:00
Owner
Copy Link
Copy Source

Add per-field permission controls so admins can restrict who can view or edit specific custom fields.

Use Cases

  • Client-facing fields visible to clients but not editable
  • Internal scoring fields hidden from non-staff
  • Compliance fields only editable by admins
  • Billing fields restricted to finance team

Proposed Permission Levels

Level Can View Can Edit
Public Anyone with repo access Anyone with write access
Restricted Anyone with repo access Only admins/owners
Private Only admins/owners Only admins/owners

Implementation

  • Add visibility and edit_permission columns to custom_field_definition
  • Check permissions in API and web handlers before showing/saving
  • UI: show lock icon on restricted fields
  • API: filter fields based on caller's permission level

Dependencies

  • Custom fields feature (done)
  • Org-level and system-wide fields (done)
Add per-field permission controls so admins can restrict who can view or edit specific custom fields. ## Use Cases - Client-facing fields visible to clients but not editable - Internal scoring fields hidden from non-staff - Compliance fields only editable by admins - Billing fields restricted to finance team ## Proposed Permission Levels | Level | Can View | Can Edit | |-------|----------|----------| | Public | Anyone with repo access | Anyone with write access | | Restricted | Anyone with repo access | Only admins/owners | | Private | Only admins/owners | Only admins/owners | ## Implementation - Add `visibility` and `edit_permission` columns to `custom_field_definition` - Check permissions in API and web handlers before showing/saving - UI: show lock icon on restricted fields - API: filter fields based on caller's permission level ## Dependencies - Custom fields feature (done) - Org-level and system-wide fields (done)
jmiller commented 2026-06-06 19:44:00 +00:00
Author
Owner
Copy Link
Copy Source

Expanded Scope (merged from #532)

This issue now covers granular field-level permissions for ALL issue fields, not just custom fields:

  • Status (first-class field)
  • Priority (first-class field)
  • Labels
  • Milestone
  • Assignees
  • Custom Fields

Each field should have configurable minimum role (anyone/contributor/writer/maintainer/admin) and optional team-based restriction.

See #532 for the full spec.

Authored by Jonathan Miller (@jmiller)

## Expanded Scope (merged from #532) This issue now covers granular field-level permissions for ALL issue fields, not just custom fields: - Status (first-class field) - Priority (first-class field) - Labels - Milestone - Assignees - Custom Fields Each field should have configurable minimum role (anyone/contributor/writer/maintainer/admin) and optional team-based restriction. See #532 for the full spec. --- *Authored by Jonathan Miller (@jmiller)*
jmiller changed title from feat: Granular permissions for custom fields to feat: granular role-based permissions for all features 2026-06-06 19:45:08 +00:00
jmiller commented 2026-06-06 19:45:08 +00:00
Author
Owner
Copy Link
Copy Source

Full Scope: All Features

Granular permissions should cover every feature in MokoGitea, not just issue fields:

Issue Fields

  • Status, Priority, Labels, Milestone, Assignees, Custom Fields

Repository

  • Settings, Branches, Tags, Releases, Webhooks, Deploy Keys
  • Manifest settings, Update server config
  • Wiki (read/write/admin per section)

Organization

  • Issue status/priority/custom field definitions
  • Field permission config itself
  • Team management, Member management
  • Update server settings

Actions

  • Workflow dispatch, Secret management, Runner management

Packages/Licenses

  • Package publish, License key management, Download gating

Architecture

  • Per-org permission config stored as JSON (one table)
  • Role levels: anyone, contributor, writer, maintainer, admin
  • Team-based overrides for specific teams
  • Cascading: org defaults, repo overrides
  • API: GET/PUT /orgs/{org}/permissions

This is a foundational feature that touches every part of MokoGitea.

Authored by Jonathan Miller (@jmiller)

## Full Scope: All Features Granular permissions should cover every feature in MokoGitea, not just issue fields: ### Issue Fields - Status, Priority, Labels, Milestone, Assignees, Custom Fields ### Repository - Settings, Branches, Tags, Releases, Webhooks, Deploy Keys - Manifest settings, Update server config - Wiki (read/write/admin per section) ### Organization - Issue status/priority/custom field definitions - Field permission config itself - Team management, Member management - Update server settings ### Actions - Workflow dispatch, Secret management, Runner management ### Packages/Licenses - Package publish, License key management, Download gating ### Architecture - Per-org permission config stored as JSON (one table) - Role levels: anyone, contributor, writer, maintainer, admin - Team-based overrides for specific teams - Cascading: org defaults, repo overrides - API: GET/PUT /orgs/{org}/permissions This is a foundational feature that touches every part of MokoGitea. --- *Authored by Jonathan Miller (@jmiller)*
Sign in to join this conversation.
Labels
Clear labels
breaking-change
Breaking API or behavior change
 ci-cd
CI/CD pipeline changes
 config
Configuration changes
 dependencies
Dependency updates
 deploy-failure
Deployment failed
 docker
Docker/container changes
 documentation
Documentation changes
 good first issue
Good for newcomers
 health-check
Repo health check result
 help wanted
Extra attention needed
 mokostandards
Related to MokoStandards framework
 push-failure
Git push operation failed
 security
Security vulnerability or hardening
 size/l
200-500 lines changed
 size/m
50-200 lines changed
 size/s
10-50 lines changed
 size/xl
500+ lines changed
 size/xs
< 10 lines changed
 standards-drift
Deviates from MokoStandards
 standards-update
MokoStandards compliance update
 sync-failure
Sync or mirror failed
 tech-debt
Technical debt and TODO/FIXME items
 upstream
upstream
Inherited from upstream Gitea
 work-in-progress
Draft or incomplete work
No labels
Priority Medium
Type Feature
Status
Priority
Type
Milestone
No items
No Milestone
Assignees
Clear assignees
jmiller (Jonathan Miller) moko-deploy (Moko Deploy Bot)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: MokoConsulting/MokoGitea-APP#9
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?