Meta: Organizations roles permissions bugs

[di]

Currently PyPI has a split permissions model for projects and organizations: a user may have a role on one or both depending on certain circumstances.

The general intent with ownership is that projects are either owned by users or by an organization. This means that the Project Owner role (and the Project Maintainer role) are mutually exclusive with the Organization Owner role.

This model is somewhat buggy. Some related issues:

• 'Sole maintainership' checks do not take into existing account organization roles (Org-owned projects: Cannot remove yourself as Sole Owner #15095)
• The removal of the Project Owner role is surprising for the transferring user and should be more clearly explained (Temporarily lost acces to package while transfering to organisation. #13558)
• When transferring a project to an organization, only the transferring users loses the Project Owner role, not other Project Owners who are also existing Organization Owners.
• When adding a user as an Organization Owner, their roles in organization-owned projects are not removed which results in a violation of the mutual exclusivity of Project Owner and Organization Owner roles.

[shaib]

Hi, I just ran into the exact scenario described in #13558 (comment) and I think the source of the confusion is the idea that "The general intent with ownership is that projects are either owned by users or by an organization". This runs flat against the documented set of roles, https://docs.pypi.org/organization-accounts/roles-entities/ -- if a project is only intended to be owned by either users or organizations, then what does the row "Own/maintain specific projects" mean?

[FWIW, the project "broken-down-models" was just added to the SlateScience organization where I ("matific") am a manager]

[dstufft]

Talked this out with the other PyPI folks, and I think we have a path forward here that will remove confusion and satisfy the long term desires.

1. When transferring in a project, the transferring user will retain a role on the project, this ensures that they do not lose access.
   • We didn't say it explicitly, but I think this should also mean that an org Manager will get a role created for the new project.
2. A new kind of project role is created, "Admin", which functions similar to the current "Owner" role, except that it does not have permission to delete the entire project. This "Admin" role is only available to organization owned projects.
   • When transferring in projects, any existing "Owner" roles are removed, and replaced with "Admin" roles.
   • The "Owner" role will no longer be available on organization owned projects (other than for the organization itself), all teams and users will be migrated to "Admin" roles.

The (1) part of this plan should solve #13558 and #18179.

The (2) part of this plan should rectify the "mixed ownership" issue that caused #14455 to be closed, and ensure that the ownership model for organization owned projects is consistent.

There's one sort of sharp edge here still, where a non-organization owned project can have multiple owners, and one of them decides to transfer it into an organization, which demotes them and the other person into "Admins". I think that's fine, because there's nothing stopping that person from just removing that other person as an Owner even without bringing organizations into it.

[warsawnv]

A new kind of project role is created, "Admin", which functions similar to the current "Owner" role, except that it does not have permission to delete the entire project.

Will the Admin role still be able to archive a project, or do they also lose that too?

[dstufft]

Will the Admin role still be able to archive a project, or do they also lose that too?

I think they would still have that permission (unless @ewdurbin disagrees) since that's not a destructive operation that only the actual owner should be able to do.