Fix create/edit/delete release permissions to match tag creation permissions
Problem to solve
Tags and releases are very related concepts, but their permissions are very different:
- Tag permissions are highly configurable through protected tags
- Release permissions are instead based on user role (with no customization):
- All Developers can create and edit releases
- All Maintainers can delete releases
Because of this permission model mismatch, we're receiving a number of bug reports:
User experience goal/proposal
Align release creation/updating/deletion with protected tag permissions.
If a user can create or edit a particular tag, they should be able to create, edit, and delete a release based on the tag.
Conversely, if the users cannot create or edit a particular tag, they should not be able to create, edit, or delete a release based the tag.
- Unifies tag and release permission systems
- Much simpler to reason about and explain in documentation
- Releases get a mature, configurable permission system (protected tags) for free
The current system allows for a number of strange edge-cases:
- A Developer can't create a new release based on a new protected tag, but can create a new release based on an existing protected tag
- This distinction isn't obvious to the user - in the first scenario, page errors with a generic error message
- Any Developer can edit a release based on a protected tag, even though they couldn't have created the release in the first place
- Developers can create a release they can't delete
None of these are very obvious behaviors; users have to have a deep understanding of release and tag permissions in order to understand these seemingly inconsistent behaviors.
Releases targeting a protected tag share the same permissions as that tag.
This text should be added on:
- Protected tags settings
- New tag creation
- New release creation
- Release editing page (to make it clear to a user why they can't edit that release)