Skip to content

Restrict creation of tasks that don't run on an external worker

We likely only want to allow ordinary users to create "traditional" tasks (those that run on external workers). Superusers should be able to create server-side tasks that run in Celery workers, in order to allow us to do some basic automation of things like APT mirror tasks using cron and the API. Other task types should be restricted so that they can only be created by internal machinery, at least for now.

#344 (closed) introduced WorkRequest.task_type, but it's currently always set to WORKER. Since we already have a trivial server-side task (internalnoop) and will have a non-trivial one with !726 (merged), we need to do something to create their work requests properly. This would probably most easily be done by changing TASK_INTERNAL to TASK_TYPE and having it take values from TaskTypes.

Once we have this, the view that creates work requests can check the acting user's permissions against the task type: normal users can create WorkRequest.TaskTypes.WORKER, while superusers can create WorkRequest.TaskTypes.{WORKER, SERVER}.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information