Workflow has changed and TUs should now depend on actions taken closing
requests which exist for the package base (deletion, merge, disown|orphan).
The `/requests/{id}/close` route is now purely used for rejecting
requests. The deletion, merge and orphan closures have been added
into their related action routes. See the lists below.
Disowning can only be done if an existing orphan request can be found
for the action by TUs. Maintainers can disown their own packages at
any time.
Actions which provide request closures:
--------------------------------------
- `/pkgbase/{name}/delete`: deletion request closure
- `/pkgbase/{name}/merge`: merge request closure
- `/pkgbase/{name}/disown`: orphan request closure
To close a request:
------------------
- `/requests/{id}/close`: close a request with rejected status
For deletion and merge actions, if no request yet exists, one
will be autogenerated and closed.
For orphan requests, a preexisting require is required and an
error is now returned in cases where one cannot be found.
For all closure actions, if the new comments field is left empty,
a closure comment will be autogenerated.
Note: This is a documentation commit summing up UX changes from
recent commits.
Signed-off-by: Kevin Morris <kevr@0cost.org>
This commit changes several things about how we were handling
package requests.
Modifications (requests):
-------------
- `/requests/{id}/close` no longer provides an Accepted selection.
All manual request closures will cause a rejection.
- Relevent `pkgbase` actions now trigger request closures:
`/pkgbase/{name}/delete` (deletion), `/pkgbase/{name}/merge` (merge)
and `/pkgbase/{name}/disown` (orphan).
- Comment fields have been added to
`/pkgbase/{name}/{delete,merge,disown}`, which is used to set the
`PackageRequest.ClosureComment` on pending requests. If the comment
field is left blank, a closure comment is autogenerated.
- Autogenerated request notifications are only sent out once
as a closure notification.
- Some markup has been fixed.
Modifications (disown/orphan):
-----------------------------
- Orphan requests are now handled through the same path as
deletion/merge.
- We now check for due date when disowning as non-maintainer;
previously, this was only done for display and not functionally.
This check applies to Trusted Users' disowning of a package.
This style of notification flow does reduce our visibility, but
accounting can still be done via the close request; it includes
the action, pkgbase name and the user who accepted it.
Closes#204
Signed-off-by: Kevin Morris <kevr@0cost.org>
We now maintain a logging.prod.conf, which should contain sane
defaults for a production instance. Our main logging.conf is
a good default for both testing and debugging, but provides
too much logging for production.
Signed-off-by: Kevin Morris <kevr@0cost.org>
After actually digging into how the logger does things,
since the root logger is required and we have specific
level-changing loggers for our components, we must no-op
the root logger to avoid it duplicating logs from the others.
Signed-off-by: Kevin Morris <kevr@0cost.org>
Previously, we were just relying on the cookie expiration
for sessions to expire. We were not cleaning up Session
records either.
Rework timing to depend on an AURREMEMBER cookie which is
now emitted on login during BasicAuthBackend processing.
If the SID does still have a session but it's expired,
we now delete the session record before returning.
Otherwise, we update the session's LastUpdateTS to
the current time.
In addition, stored the unauthenticated result value
in a variable to reduce redundancy.
Signed-off-by: Kevin Morris <kevr@0cost.org>
There's a space between every 4 characters in the fingerprint
in PHP; we were missing it in FastAPI. This commit fixes that
inconsistency.
Signed-off-by: Kevin Morris <kevr@0cost.org>
We've seen a bug in the past where unique SID generation fails and
still ends up raising an exception.
This commit reworks how we deal with database exceptions internally,
tries for 36 iterations to set a fresh unique SID, and raises a 500
HTTPException if we were unable to.
Signed-off-by: Kevin Morris <kevr@0cost.org>
