Abilities/permissions around renaming/moving projects are confusing.
ProjectPolicy
has a :rename_project
ability that is only awarded to project owners. This ability is not checked, however, in the project edit interface, and changing either the name or path of a project is available to anyone who can see the project edit page following from the the :admin_project
ability, which is awarded to masters.
In the API, :rename_project
is used, but only to protect changing the name of the project, rather than the path. This means that only owners can change the name, but both owners and masters can change the path, which makes little sense.
Other actions that are actually available to owners are changing the project visibility level, transferring it to a new group/user, deleting it and archiving it.
I think that going forward, we should allow masters to change the name, owners to change the path, and make sure this is consistently enforced on the API and project edit interface.
@mydigitalself Wdyt?
/cc @rspeicher