We should have a section dedicated to permission management:
- project level permissions
- org level permissions
- managing of different groups within an org
Hmm, we talked about it. I'm kinda confused about the supposed best-practice for managing organization-wide permissions in teams, as you can only give a team write-access and then repos to it, you can't say "This team gets read access here, and write there, and can write here but without editing the wiki" etc, so it'd be interesting how this should be achieved.
I kinda guess you'd have to create a team for everything, like put a person in collaborators, webdevs, product manager and project-xy-owner and then you give the collaborators read access to a repo, webdevs write access to the same repo, the product manager can also edit projects on repos they are in etc ... but never tried if this works out.
I find the org-level right management kinda confusing TBH, and it'd be really nice to look this up to not accidentally give people to much power (or, in my case, I have to reconfigure everything thrice until people got the permissions they need to take some action we wanted them to do)
I mean, the UI buttons are already explained in the docs, but if I wanted to know how I can do this, I'd read through all of it and I'd still don't know what I'm supposed to do to have a group of people with certain rights.
(The main problem is: It's simply not possible AFAICT to have one group and assign them different access levels on different repos, so I'm actually asking to write a workaround in the docs)
I'm admittedly not very familiar with the details of group management in Gitea, because I haven't had a need for it so far.
I agree with @fnetx that some clarification on org level permissions and especially restrictions in group management would be a welcome addition.
Yes, easily documenting the best-practice is the way to go, maybe not only covering the technical aspects but some social ones, like, what might be a good way to run your organization with minimum permission (and thus risk), but without cutting the workflow of users ...
relevant example of users who may have profited (not blaming, only referencing): Codeberg/Community#476 (someone in the team got too many permissions to remove a repo, although write access would probably have been enough)
Deleting a branch is permanent. It CANNOT be undone. Continue?