This week, my Version Control SoC Project saw further completions of the API functions' implementations (the API itself is completely implemented now, if I'm not mistaken) and the creation of extendable admin screens, mainly for repositories for now. There's now a list of repositories separately for each version control system, and each backend can easily customize creation, editing and display of repository information by means of hook_form_alter() and a small number of more specific hooks. Repository management is now at the same level of functionality as the one in cvs.module, only that it's generic at the basics and other backends can without much effort provide their own custom stuff, just like CVS provides CVS modules and different methods of commit information retrieval. Sure, you want screenshots:
The VCS account management page also works with user account listings, but it doesn't do much in terms of management at the moment. (Mind that an "account" is not the actual account in the VCS, but rather the association of that one to the respective Drupal user.) The problem here is that account creation is strongly connected with account approval by the VCS admin, and I can see multiple use cases of how account approval could work:
- No admin approval is needed at all. This would be the default behaviour because it's most simple, and would mainly be used in small work environments and student teams working on university assignments, where each user is trusted to do the right thing.
- One approval is valid for all repositories. Once users have been approved, they can create accounts in all repositories known to the site. In principle, this is the same thing that drupal.org does now, only that there's the "special case" that is just provides one single repository as well. This will especially be necessary in distributed development scenarios where new repositories are created by users when needed, and are not a one-time hurdle to fulfill and then forget about it.
- Approval by project: when users get the ok of the project maintainer, they can create accounts in all repositories that are associated to the project. For centralized development, this means the same as approval per repository. For each repository, the user needs to apply with a separate motivation message, and each of them must separately be approved by the admin. This would be required for hosting sites like SourceForge with each projects having one or more separate repositories.
- Approval by repository: a project has multiple repositories, and the user is only granted access to one of them. (Say, the example contributor in my distributed-VCS project may only access the development branch repository, but merging into the stable/release/master repository is only done by myself.
That makes the approval stuff very complex: the user interface (both for the user and the admin) needs to adapt to each of those use cases, and project node integration is needed (so it must be pluggable, because project node integration is a separate module). My current plan is to provide account creation without required admin approval as a basis, and provide the other methods by hooking into the account creation form for each repository with form_alter() - if the user has permission to create an account, he may do so, if not, change the form to an application one. That might work, I think. It might also mean moving the approval status / motivation text table back into the API module. There might even be multiple tables for the different approval methods. I'll have to make up my mind about that.
In any case, I thought it would be a good idea to tackle account approval and creation as next task, and proceed to project node integration afterwards.
Comments
KISS
The repo stuff sounds and looks nice. I haven't played with the code yet, but it seems very on track.
The account management seems like a fairly twisted can of worms. :( You've done a nice job explaining the issues here, but my first impression after reading this is: "let's be careful not to completely over-engineer this problem". i know the whole point of your effort is to make all of this very general, but it's possible to make things too general such that they have to be incredibly complicated to handle all the cases they try to handle.
Would it be possible to focus (at least initially) on #1 and #2 from your list? Then, let's see real progress on the other remaining problems, and if time permits, we can revisit this for #3 (and maybe #4)? How does that sound? We don't need #3 or #4 on d.o yet, and there are other items (like release node integration) that loom large and will be critical if we can actually migrate to the new API.
Of course, sometimes, the only way to do something in a sane way is to make sure the API is flexible enough in the first place... But, I think we need to beware of getting bogged down on every possible case and spending days/weeks on it. And, we can always change the API if we need to later, once we better understand the problem. ;)
Cheers,
-Derek
Yes, totally
I'm very aware that this can easily become clumsy both in the code and in the user interface, and you're totally right that we must not take this further than necessary. I've got #1 nearly working, and I already considered shifting focus to project node integration before doing any of #2-#4. Seems to me that #2 only is a good compromise and necessary anyways, so the way you propose seems a good one to me.
As far as the API is concerned, I think that we can do #3 and #4 without API changes (or only minimal ones), just a bit more form altering magic will be required. When #2 is done, there's only little left for #3 and #4 anyways.
I'm trying to keep things sane.
Update and use case survey
Item #1 (user account creation without required admin approval) is now there, and ready for a quick look by interested bystanders. Needs some additional polish still, but it works. (The database structure will still change a bit as well, so don't expect all too easy updates from there if you install Version Control API and the CVS backend.)
Should we have a "Delete account" button as well? It's no problem technically (the code infrastructure is there already) but I don't know if it's a good idea in terms of use cases. Are VCS accounts deleted? If so, should the user be able to do so (given the right permissions)?
In other news, I'm going to be away until Sunday (band practice), so you won't reach me till then.
We disable, not delete, on d.o
In the rare cases that we feel someone is mis-using their CVS account, we just disable it instead of deleting it. It's important history if they had a previously active account that's now explicitly disabled.