Add a role that let's people push only to their maintained packages

[corevo]

Hi,

I'm looking into using Klondike in a private org, and I don't like the idea of letting everyone be package manager, that's too much permissions for every programmer.

So if each developer could only push to his maintained packages that would be great.

Take note that I'm using NTLM so there are no anonymous users, thanks!

[chriseldredge]

Klondike currently does not keep track of which account, or api-key pushes a package, so we'd need to start by designing a way to retain this information, ideally in a way that continues to work if an account is renamed.

I can understand you might want to let some users push packages without giving them the other permissions that Package Manager includes (delete packages, synchronize, rebuild index).

Would having a separate role that only allows pushing packages be acceptable? This would be much simpler to implement than trying to do per-package security.

[corevo]

Yes, as long as that user can't overwrite other's packages (if it exists under the same name and version)

[chriseldredge]

There is an option in Klondike 2.0 beta to prevent package overwrite as a system policy. See Settings.config line 40.

The option is set to allow overwrite by default.

[corevo]

I would like package managers to overwrite packages, just that normal developers won't be able to

[chriseldredge]

Package managers could still delete packages, then push a different version.

Klondike does not currently have a setting to disable delete.

[corevo]

I'm about to be using Klondike for both a nuget feed and a choco feed, Sadly choco doesn't support delete, so that would require all the choco package managers to have nuget as well.

Could be done, but less intuitive, either way, I'd be happy with the extra role