How to set permissions for publishing new Wiki version on VSTS - tfs

We've published our Wiki pages in VSTS using 'code as Wiki' (see explanation here). In general we only want to use the master branch for displaying these Wiki pages, but sometimes we want to add a new version using the Publish new version menu option (see screenshot).
However for some of my team members it isn't possible to publish a new version, because that menu option is not visible. I've searched to see if there are certain permissions controlling this menu option, or any preview feature that should be enabled, but couldn't find any clues on this.
Does anyone know how to get this Publish new version available to everyone? Thanks!
Edit 1
It was suggested by Rodrigo Werlang to check out Wiki security, however this option is not available for 'code as Wiki', see screenshot:

Just see the Prerequisites to publish a Git repository to a wiki:
You must have the permission Create repository to publish code as
wiki. By default, this permissions is set for members of the Project
Administrators group.
Anyone who has permissions to contribute to the Git repository can add
or edit wiki pages. Anyone with access to the team project, including
stakeholders, can view the wiki.
And the description about Stakeholder wiki access:
Stakeholders in a project can read wiki pages and view revisions,
however they can't perform any edit operations. For example,
stakeholders can't create, edit, reorder, or revert changes to pages.
Note: Users with Stakeholder access have read-only permissions to
wiki pages. These permissions can't be changed.
So, in your scenario you can follow below steps to see the Publish new version option:
Change the user access level to Basic if it was Stakeholder
before.
Add the user to Project Administrators group or have
Manage permissions set to Allow for Git repositories.

In your wiki, go to Wiki Security
Take a look at the security page and set contribute, contribute pull request, create branch, create tag, manage notes, read.

Related

Jenkins GitHub access token - Enable Checks but not Write code

I'm trying to set up Jenkins Multi-branch pipelines to add status checks to my GitHub private org repos. Blue Ocean requires the bot-user to have write (maybe more) privileges, listed as so:
I would like to pull code, write status checks but not push code. Is there any combination/workaround that will enable this?
P.s. I'm not entirely confident in what each scope enables and what permission level of collaborator (read/write/admin) they need even though I've read the hyperlinked docs.
A personal access token grants a user API access at the same level of their permissions within GitHub, never greater. For example if the user has read access to a repo and the token is marked as "Full control" then they will still only have read access to that repo.
Writing a Status Check requires the user to have Write, Maintain or Admin permission to your repos as described in this page:
https://help.github.com/en/articles/repository-permission-levels-for-an-organization
Write, as the name suggests, grants push permission to your repo so you will need to think about how to proceed.
I assume you're using GitHub.com (rather than GitHub Enterprise) so would suggest the following:
Grant the bot-user write access to your repo
Create a team of users who require push access
Enable the branch restriction "Restrict who can push to this branch"
Add the newly created team you to the restriction
Set the "Branch name pattern" to *
https://help.github.com/en/articles/enabling-branch-restrictions
This will apply the restriction to all branches within your repo and prevent the user from pushing, but does not prevent the writing of status checks.
If you were using GitHub Enterprise I would consider a pre-receive hook to prevent the bot-user from being able to push code into your repos.
Mick

In TFS Online, How do I share a code branch with our customer

We have an enterprise customer that we have delivered a system for. It is part of the agreement for us to supply them with the source code of the latest release. We are using TFVC on TFS online, and we thought it would be easiest to give them access to our Main branch. But I have difficulties with only allowing them to access the code and nothing else. The user I am testing with, can see too much: I.e. things like dashboard, current team members etc.
Is it possible for me to only expose code from the Main branch and nothing else to an external user?
Giving access to TFS Main Branch out of Organization (AD) is not advisable considering security.. Instead consider giving source code into zip format there are lot of large file sending (FTP sites) are available..
Still for your request of restricting access to user have a look over this
https://www.visualstudio.com/en-us/docs/setup-admin/restrict-access-tfs
you can consider replicating your part of source code into separate stream and give reader read only access to that stream.
Hope this helps... :)
Refer to these steps to set the permission:
Add user to your VSTS (Basic)
Remove this user from all group if you added
Go to admin page of a team project Version Control (Setting > Version Control)
Select a folder/branch
Click Add > Add User to add that user
Select the user that you added
Set Read permission to Allow
Go to Security page (click Security)
Click Create group to create a new group
Set View project-level information to Allow and deny other permissions for this group
Click Members of that new group
Click Add to add that user to this group
After that, this user can access the code (Just the folder/branch the user has the read permission) on web access (Code > Files).

How to find out who changed the permission settings in Jenkins?

I am using Folder plugin and AD groups to control access to folder. This morning a team can't access their project anymore and later I found the AD group assignment in Assign Roles has been changed to wrong groups. Is there a way to find out which id did it? We only have a few admin ids.
Jenkins does not appear to keep an audit trail by default, as stated in this post on cloudbees.com, the folks that develop Jenkins.
The relevant lines:
Many Jenkins users look for a recommend a strategy for keeping an audit trail. This article is supposed to be a gap filler until more comprehensive compliance capabilities in JE/JOC are developed.
There are two open source plugins that enable you to track “WHO did WHAT?” in Jenkins:
...
The first plugin listed is Audit Trail Plugin which looks to provide exactly what you are seeking.
The description from the plugins page:
Keep a log of who performed particular Jenkins operations, such as configuring jobs.
This plugin adds an Audit Trail section in the main Jenkins configuration page. Here you can configure log location and settings (file size and number of rotating log files), and a URI pattern for requests to be logged. The default options select most actions with significant effect such as creating/configuring/deleting jobs and views or delete/save-forever/start a build. The log is written to disk as configured and recent entries can also be viewed in the Manage / System Log section.
I spent a few minutes looking through Jenkins various xml and log files, but could not find a log that contained something useful (username and/or timestamp). In this case it seems user auditing isn't built into Jenkins as of yet. Unfortunately it appears that you might not be able to determine who made those changes after the fact.

Using Gerrit to restrict read access to a git branch

I'm beginning to suspect that this is not possible. I was hoping that I could set up custom access control in Gerrit so that a particular role (defined in TF) would not have read access to a specific branch in a repo.
However, it appears that users with this role are unable to clone the repo at all. I was hoping they'd be able to clone and just not beb able to check out the restricted branch.
Just wondering if anyone else has enountered this and might be able to confirm the behaviour I'm seeing. I did see another thread here recommending gitolite for partial copies but I'm restricted to using TF/Gerrit.
Thanks!

Jenkins: Use personal credentials for project

I'm hosting a project on my Jenkins server. That project has a GitHub repo and I have it set up so it automatically builds new commits. In order for that to work, I need to input credentials for a github account that has full access to the repo.
The problem is, that if I want him to add his login info to the credentials list, I'd have to give him acces to all credentials on the server (I don't want that).
I tried using the credentials under "{username}" > "Credentials", but those didn't show up in the project setup (even with 100% access to everything on the server).
Is there a way for the user to store his credentials and use them for the project without giving him full access to all credentials on the server?
Add the user's credentials under Global security and then allow project based Matrix Authorization Strategy per project as shown:
I found the answer in this mailing list entry:
In short: You need to
install and activate the Authorize Projects Plugin,
enable "run as specific user" strategy in global security settings,
enable this for the project in question.
This allows you to use the credentials for this specific user.
Enabling ssh-agent is the final step to make this work conveniently.

Resources