Allow anybody to remove a stale package

[jamesreggio]

If the GitHub repo referenced by a Bower package is no longer accessible, anybody should be allowed to remove that Bower package.

This should resolve a number of the errors people are encountering on bower/bower#120. It also incidentally fixes #69.

[desandro]

I like the intent here. I don't think there's a downside. If anyone can remove stale packages that means anyone can overtake stale packages. But at the same time, it means package owners can fix their own stale packages, where-as they had to go through the unregister request process previously.

I'd prefer to keep it un-merged for a bit. Keep it open for discussion.

[jamesreggio]

Fair enough; takeover is certainly a concern.

Unfortunately, without a user-account system (which I think we've rightfully avoided building/integrating), it'll always be a challenge to determine whether a person has the right to administer a package. We could enhance the logic a little more to look something like this:

• Is the repo on GitHub?
  • No, then fail to manual process
  • Yes, then does the repo still exist?
  • Yes, then is the user a collaborator?
    • Yes, then grant admin privileges
    • No, then fail
  • No, then is the repo owned by the user (e.g., the repo jamesreggio/dotfiles is owned by me)
    • Yes, then grant admin privileges
    • No, then is the owner an organization?
    • Yes, then is the user a member of that organization?
      • Yes, then grant admin privileges
      • No, then fail
    • No, then fail to manual process

The key change here is the check for implied ownership of deleted repos—either through the user's name being directly in the repo path, or through the user being a member of the owning organization.

That said... if we're not concerned with takeover, we can just merge my existing changes. (I'm not convinced that the manual process we use is any more secure.)

Thoughts, anybody?

[wibblymat]

I think that the "best" option is that we have some regular cron job that checks each registered package. This has many uses, including letting us send more information about available versions, etc., direct from the registry. But for the purposes of this bug, it lets us check that the repo is still valid.

Why is this better? The main one is that it lets us take more care that the repo is really dead. With this PR, if Github is down for 30 minutes for whatever reason, a malicious person would be able to unregister basically all of our packages with no auth.

On a cron job you also have more time to fetch the actual endpoint rather than using a fast API call, which means that the check can be applied to non-Github endpoints too.

[wibblymat]

I failed to say that my 'more care that the repo is really dead' meant trying again after a few hours and only removing the package if it continues to be dead. This could also be combined with a check that says that if there are more than X packages that look to be dead, alert an admin and stop removing packages because maybe something is wrong.

[sheerun]

I think both automation of deleting and allowing deletion for anyone if repo exists is too fragile. We can easily compromise whole registry this way. Closing this PR, please see: #110