
Enable Pages access control - satireguff
https://gitlab.com/gitlab-com/gl-infra/infrastructure/issues/5576
======
codegladiator
Gitlab is amazing in my personal opinion... The autodevops (with connect k8s)
has made my life easier by 10x atleast

------
white-moss
Awesome. Advantage has been added. GitLab is better than GitHub, I think.

~~~
alt_f4
Try discovering a project/package on GitLab vs GitHub. They really need to add
proper search / explore mechanism.

~~~
unlinked_dll
I'm ok with a git hosting platform that has absolutely zero social media
elements to it.

~~~
dewey
This also affects self hosted instances in a company where you want to find
other packages though. It's not a "social network" feature.

~~~
darau1
You're telling me there are cases where a company has so many projects in it's
gitlab instance that employees routinely have to _search_ for things? That
seems odd to me. I'd expect there to be a naming scheme for most things, and
even if there's some oddball project, I'd think somebody else you work with
knows about it and where it is. My company has maybe 20-30 projects, and I can
find any of them easily if I know the client's name.

~~~
dewey
> My company has maybe 20-30 projects

Ever worked in a company with micro services or a company that has a bunch of
employees? You'll have hundreds of projects easily if it's a bunch of teams.
If someone tells me "it's in our SRE libs package" I'll go ahead and search
that. (Usually I can't find it because it's in a separate namespace on our
Gitlab instance. Doing that is an Enterprise only feature on Gitlab right now:
[https://docs.gitlab.com/ee/user/search/advanced_global_searc...](https://docs.gitlab.com/ee/user/search/advanced_global_search.html))

The point is that search is important and not a social network gimmick.

~~~
darau1
I hadn't considered companies that use microservices instead of monoliths, I
think you might be right

~~~
oneplane
Yep, same here. We architected our services so that a common layer could be
used which reduces service duplication but still we have over 700 projects for
just one company doing end-to-end ecommerce and fulfillment. At some point you
even start running out of names so you end up with people using acronyms from
their specific fields which quickly ends up being unfindable. Not because of
search but because you no longer know what to search for.

------
gravypod
Very excited about hosting code coverage reports (with line by line coverage)
for developers.

------
haywirez
All that’s missing is the ability to control these settings through the API -
same with Letsencrypt certs / auto ssl.

------
StavrosK
Can someone explain to me what this does? It seems to me that it restricts
Pages to project members, but I've had that feature enabled on private repos
for at least a week or two now, which makes me think this is something
different, but I can't figure out what.

~~~
hddqsb
That's what it does. It's not that new, it's been live since Sept 27
([https://gitlab.com/gitlab-com/gl-
infra/infrastructure/issues...](https://gitlab.com/gitlab-com/gl-
infra/infrastructure/issues/5576#note_222976738)).

~~~
StavrosK
Ah, okay, that makes sense, thanks! I can't tell you how much trouble I've had
deploying docs with authentication to an org that uses GitHub, I basically
spent a whole day figuring something out and gave up. GitLab was literally one
setting.

------
peterwwillis
It's nice to know other orgs also have these checklists where lots of items
aren't checked, and you have no idea if they _should_ be checked, or when,
why, etc. Does anyone have a good solution to this?

------
jfowl
I really like their checklist. It brought many details to my attention that I
would have missed when developing such a feature. Does anyone know such a list
of checklist (awesome-checklists or so)?

------
hddqsb
I love GitLab, and Pages access control is a great feature, but I think this
was rolled out very poorly.

<rant>

The access level is "Only Project Members" by default for private projects,
which I consider a breaking change because the steps I previously used to
create public Pages (add .gitlab-ci.yml and push) no longer work.

The first time I tried to deploy Pages after the access control feature was
enabled I wasted a lot of time because of this. When my new webpage redirect
to the GitLab sign in page, I didn't bother signing in (why should I, when
Pages have always been public?). I waited a day, because Pages have taken
several hours to provision in the past[1]. Finally I started searching the web
for why Pages was redirecting to the sign in page and found out about the
access control feature.

I support having the access level "Only Project Members" by default, but I
think the rollout could have been done much better. My main objections:

\- There was no indication that the new webpage existed and that the issue was
access control -- when I tried visiting the webpage for a non-existent project
I got the same redirect. I understand why (to avoid leaking the names of
private projects), but the redirected sign in page could have still shown a
generic message ("project is missing or private") and mentioned that Pages are
now private by default.

\- The setting was not in an obvious location for me. I checked "Settings >
Pages", which said the pages are served but did not give any indication that
access control was enabled. There should have been a notice here saying that
Pages are now private by default and that this can be changed in "Settings >
General > Permissions", at least for the first few months after the rollout.

\- The API [2] does not support changing the Pages access level yet, so I have
to sign in to GitLab and change it manually (or fake the form submission). I
want to be able to create a project with public Pages from the terminal, like
I could before.

These issues could have stemmed from an assumption that developers heavily use
the GitLab web interface and are always signed in. For me that is not the
case.

Some small additional issues:

\- The option "Pages access control" in Settings > General > Permissions is
badly named because it's not clear what it means when it's toggled off. With
the other options (e.g. "Issues", "Wiki", "Snippets") it's clear that toggling
off the option removes the feature, but toggling off "Pages access control"
could either mean "remove the access control feature" (making the pages
available to everyone) or "remove the Pages feature" (making the pages
available to no one). From my experiments it appears to be the second.

\- The options have a glitch where toggling an option puts the corresponding
access level in an inconsistent state. When the "Page access control" option
of a private project is toggled off then on, the access level dropdown shows
"Only Project Members" as selected but the value of the hidden <input> element
is 30 (Everyone). Submitting the form sets the access level to "Everyone", as
can be seen when the page refreshes. The other options have the same problem.

</rant>

[1] [https://forum.gitlab.com/t/gitlab-pages-404-for-even-the-
sim...](https://forum.gitlab.com/t/gitlab-pages-404-for-even-the-simplest-
setup/5870/58)

[2] [https://docs.gitlab.com/ee/api/projects.html#edit-
project](https://docs.gitlab.com/ee/api/projects.html#edit-project)

~~~
sytse
Thanks for the list. I've shared this with the group responsible for pages.

------
greggh
Gitlab has enabled China's censorship of foreign content and free speech:

[https://www.theregister.co.uk/2019/10/16/gitlab_employees_ga...](https://www.theregister.co.uk/2019/10/16/gitlab_employees_gagged/)

~~~
CallMeMarc
It's non of GitLabs business to play the judge in this. If a customer is doing
something illegal and a court makes a judgment, they will probably do
something.

I prefer a company not ruling their platform by their beliefs but by their
countries laws and court rulings.

~~~
y4mi
That sounds like a great idea but quickly gets you into very murky Waters,
especially wrt China.

If the government in question doesn't try to be just, you'll end up assisting
murder and silencing the voices of the oppressed.

Sometimes it really is better to say "no" to a business opportunity, if the
other side isn't behaving in a sane manner.

And fwiw: gitlab did just that as the sister comment pointed out

~~~
Skunkleton
I think this is more nuanced. Right now companies cooperation with China is in
the news. For example, both Blizzard and the NBA have betrayed American ideals
in favor of making money in China. Other companies have built a dependent
relationship with China over many years, and have been forced through this
dependence to support China (Apple comes to mind here). Other companies are
actively distancing themselves from politics (gitlab).

As a society, I think we need to decide what is best. In my opinion, companies
should be entirely apolitical, both internationally and domestically. Further
companies should not assert any influence _at all_ over political speech by
their employees. In return, employees should not imply corporate support for a
particular political view.

From my perspective, gitlab is doing the right thing. I don't think
corporations have _any right_ to involve themselves in politics, even if the
majority supports that position.

Edit: if popular sentiment is that American corporations shouldn't have a
dependent relationship with China, then the _elected_ government should
enforce sanctions. I don't need corporations enforcing moral policy.

~~~
vore
Please keep in mind that "apoliticism" is in itself a political position:
wanting to preserve the status quo and opposing change is still support for
the status quo which, in itself, is a set of political beliefs.

~~~
Skunkleton
It's not. If corporations were people I would agree, but they aren't. Politics
should be democratic. I don't want to live in a corporatocracy.

~~~
y4mi
It's impossible to be completely apolitical. Take your own example - blizzard
- and tell me how they could stay moral without taking a political stance.

~~~
Skunkleton
Morality is for people. Companies should just follow the laws of the country
they are operating in. If we decide that isn't morally acceptable, then we can
1) stop using their services, and 2) push for change through our political
representatives.

I agree that if Blizzard were to respond to the loss of customers by pulling
out of the Chinese market, then that would be not entirely apolitical. Still,
it is far less political than they are presently.

