Asking permission before giving authorization


#1

Suppose [email protected] is the maintainer of a project [email protected] and she wishes to add [email protected] as a project collaborator, allowing him to do things like pushing commits to the repository, merging merge requests, closing issues and so on.

The question is, should [email protected] be given access instantly, as soon as [email protected] adds him? Or should he receive an offer to become a team member, and decide whether to accept or reject this offer?

From what I’ve seen in GitLab, Gogs, etc. it’s the former case: You add a new collaborator to your repository, they get a notification and that’s it. As soon as you add them, they have access, even if they don’t ask for it. I suppose this approach requires less mouse clicks and less UI, but there is also a caveat:

If you get access that you don’t want, and some damage occurs to that repository etc., you can’t claim to have no access, even though you never knew about it. You may even be unaware of the access you have! Simply because you missed the notification in your potentially long list of notifications. You can accidentally do some mouse click or key press that modifies something you didn’t even know you could, or didn’t mean to do.

So I’m wondering whether it would be a nicer safer way/default, to add collaborators like this:

  1. Aviva sends Luke an Offer activity
  2. If Luke sends back a Reject, we’re done.
  3. If Luke sends back an Accept, Aviva sends Luke an access token

Luke can still dispose of his access token whenever he wishes, delete it without telling anyone. He can also ask Aviva to be removed, and she can then revoke his access token on her side.

My questions are:

  1. Should we use an Offer, or should Aviva simply send Luke the access token without any prior asking?
  2. Which ActivityPub activity to use for sending the token? One idea on my mind is a Create activity in which the object is called “Grant” or “Delegation” and has fields stating the resource (which is [email protected]), the access level (which may be “collaborator”), the actual access token and so on.

I’ve love to hear your thoughts about this :slight_smile: