AAD account checks on packages for safety reports #9360
Conversation
… safety reports on it.
| @@ -114,6 +115,17 @@ public static bool IsAzureActiveDirectoryAccount(string type) | |||
| return type?.Equals(External.AzureActiveDirectoryAccount, StringComparison.OrdinalIgnoreCase) ?? false; | |||
| } | |||
|
|
|||
| public static bool PackageHasNoAadOwners(Package package) | |||
There was a problem hiding this comment.
Consider moving this check to the Controller. We can move to NuGetGallery.Core if we need to re-use it.
| @@ -1384,7 +1384,8 @@ public virtual ActionResult ReportAbuse(string id, string version) | |||
|
|
|||
| var model = new ReportAbuseViewModel | |||
| { | |||
| ReasonChoices = _featureFlagService.IsShowReportAbuseSafetyChangesEnabled() | |||
| ReasonChoices = _featureFlagService.IsShowReportAbuseSafetyChangesEnabled() | |||
| && CredentialTypes.PackageHasNoAadOwners(package) | |||
| return true; | ||
| } | ||
|
|
||
| return !owners.Where(o => o.Credentials.GetAzureActiveDirectoryCredential() != null).Any(); |
There was a problem hiding this comment.
Will !owners.Any(o => o.Credentials.GetAzureActiveDirectoryCredential() != null);
work?
There was a problem hiding this comment.
Not sure if this is valid or not, but could you do return !package?.PackageRegistration?.Owners?.Any(o => o.Credentials.GetAzureActiveDirectoryCredential() != null) ?? true? Just to mimic the other methods here.
There was a problem hiding this comment.
@skofman1 yes, that's cleaner--thanks. @camigthompson I'd like to leave it separate for readability, particularly as I'm separating our NRE-avoidance into its own block.
|
What should be the behavior if one of the package owners is an organization, and the org has collaborators that use AAD? |
|
@skofman1 This case is addressed now. Thanks for pointing it out! |
We'll allow safety report categories only on MSA-only account-owned packages as a first step.