- Similar to LDAP_SUPERUSER_FILTER, add a specific filter to define
restricted users, based on the LDAP_USER_FILTER
- restrict writes on restricted users' own namespace. Normal
permissions applies on organization membership
- add global readonly superuser GLOBAL_READONLY_SUPER_USERS (PROJQUAY-2604)
- Removes RESTRICTED_USER_INCLUDE_ROBOTS, FEATURE_RESTRICTED_READ_ONLY_USERS
* api: feature to limit org creation to superusers
Introduces the following configuration flags:
FEATURE_SUPERUSERS_ORG_CREATION_ONLY:
Limit org creation to superusers only
FEATURE_SUPERUSERS_FULL_ACCESS:
Grant superusers read/write access to registry content in all namespaces
FEATURE_RESTRICTED_USERS:
Users considered as restricted are not anle to create organization
RESTRICTED_USERS_WHITELIST:
Whitelist for FEATURE_RESTRICTED_USERS
RESTRICTED_USER_INCLUDE_ROBOTS:
Whether or not to include the user namespace's robots
RESTRICTED_USER_READ_ONLY:
Only allow read-only operations for restricted users
* Revert superuser repositorylist endpoint
RepoMirrorConfig in the current database migration version has a
non-null constraint on the internal_robot field, but the model in
database.py does not.
Updates the model to match the current database revision, and handles
delete api calls when there are mirrors still using the robot.
Also set a default test DATABASE_SECRET_KEY when generating the test.db
* Move truthy_bool to a neutral location.
* Add dba operator migration version generation code.
Change existing migrations to use an injected and wrapped op.
* Generate databasemigration hints files for all existing migrations.
* Reformat with black.
