Admins cannot view /package/:package/maintain

[hesselink]

Users in the admins group cannot view /package/:package/maintain, but they can access all the links on that page. I think they should also be able to view that page.

[dcoutts]

Should be easy to fix. There's an auth check that uses a list of groups.

[gracenotes]

Admins (who administer users/infrastructure) shouldn't need to do this, right? This should be in the realm of trustees (who administrate packages). If there are admins who are also de facto trustees, they should be added to the trustees group.

(All of the links on the maintain page should probably be changed likewise.)

[hesselink]

I've looked into this a bit further. All html pages linked from the 'maintain' page have no security checks, but the actual actions all call guardAuthorisedAsMaintainerOrTrustee, which means admins cannot perform them. The exception is editing the maintainers group, which is also editable for admins.

So the question here really is what we want. Adding a maintainer (usually for a package takeover) is something we now do regularly as admins, so it would be convenient if the index page is viewable. If we decide that this is not a task for admins but only for trustees, then the permissions for the editing of maintainers should be tightened.

[dcoutts]

I would suggest we eliminate guardAuthorisedAsMaintainer and guardAuthorisedAsMaintainerOrTrustee, replacing them with their expansions. Their expansions are simpler, more uniform, and easier to audit and edit. In particular, this change would be trivial: just adding the admins group to the list.

[hesselink]

So should we make this change?

[gbaz]

i think we should, yes?