christhomas
commented
5 years ago I need to add a constraint to the package group entity called 'protected' => true/false, then we need an api gate which will check these parameters before granting access to the package group.
In order to flip a user from requested to approved, we need to take the package group access capability and flip the boolean false => true on the approved field
Right now a REST Api user can add themselves to any repository and package group, as long as they have the REST Api access, they can do it. However in the future this will become a bit more sophisticated.
However, it might be that some groups might want to stop just anybody adding themselves to the group, and instead moderate the users that can and cannot access.
So the idea of a PACKAGE_GROUP_ADMIN was created, which means this user is responsible for moderating users in that group.
The first user to create a package group, is automatically the admin, so this user will have this ability.
If a user tries to add themselves to a package group, it should send a message to the package group admin that a user has requested access. Then they have the choice to accept or reject that request.