This is an automated email from the ASF dual-hosted git repository.
sbp pushed a commit to branch sbp
in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
The following commit(s) were added to refs/heads/sbp by this push:
new 356a7fc Update the documentation about check result ignores
356a7fc is described below
commit 356a7fc29ae5caee97c32d2b36464e2a7ac8e9b1
Author: Sean B. Palmer <[email protected]>
AuthorDate: Fri Jan 30 15:39:38 2026 +0000
Update the documentation about check result ignores
---
atr/docs/check-ignores.md | 6 +++---
atr/docs/security-authorization.md | 5 +++++
atr/docs/storage-interface.md | 2 ++
3 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/atr/docs/check-ignores.md b/atr/docs/check-ignores.md
index 5cebbb4..36d8e27 100644
--- a/atr/docs/check-ignores.md
+++ b/atr/docs/check-ignores.md
@@ -14,7 +14,7 @@
## Overview
-Check ignores let committee members hide specific check results in the UI.
Ignored checks are removed from the warning and error counts shown on the
checks pages and are shown separately in _Ignored checks_ sections.
+Check ignores let project committee members hide specific check results in the
UI. Ignored checks are removed from the warning and error counts shown on the
checks pages and are shown separately in _Ignored checks_ sections.
### Where to manage ignores
@@ -22,7 +22,7 @@ You can manage ignores from the release checks page by
selecting _Manage check i
### Permissions and visibility
-Any committer can view the ignores page for a committee, but only committee
members can add, update, or delete ignores. Ignores are stored per committee
and apply only to that committee's releases. (We intend to update this so that
ignores are stored per project instead.)
+Any committer can view the ignores page for a project, but only committee
members can add, update, or delete ignores. Ignores are stored per project and
apply only to that project's releases.
Please note that on the release checks page, the _Ignored checks_ list
includes primary check results only; archive member checks are not shown there.
On the per-file report page, the _Ignored checks_ list can include member
checks for that file.
@@ -58,7 +58,7 @@ Negation and missing values are handled with a leading
exclamation mark. Prefix
## Examples
-To ignore all RAT warnings for your committee, set the checker pattern to
`atr.tasks.checks.rat.check` and the status to `Warning`.
+To ignore all RAT warnings for your project, set the checker pattern to
`atr.tasks.checks.rat.check` and the status to `Warning`.
To ignore license header failures for a specific release series, set the
release pattern to `apache-example-1.2.*`, the checker pattern to
`atr.tasks.checks.license.headers`, and the status to `Failure`.
diff --git a/atr/docs/security-authorization.md
b/atr/docs/security-authorization.md
index 9d76df1..da987a1 100644
--- a/atr/docs/security-authorization.md
+++ b/atr/docs/security-authorization.md
@@ -13,6 +13,7 @@
* [LDAP integration](#ldap-integration)
* [Access control for releases](#access-control-for-releases)
* [Access control for tokens](#access-control-for-tokens)
+* [Access control for check ignores](#access-control-for-check-ignores)
* [Implementation patterns](#implementation-patterns)
* [Caching behavior](#caching-behavior)
* [Implementation references](#implementation-references)
@@ -126,6 +127,10 @@ Token operations apply to the authenticated user:
* Allowed for: Anyone with a valid PAT
* Note: This is an unauthenticated endpoint; the PAT serves as the credential
+## Access control for check ignores
+
+Check ignores allow committee members to suppress specific check results from
the warning and error counts. The ignores page is accessible to any
authenticated committer, but only PMC members of the project's committee can
add, update, or delete ignore rules. The storage writer validates that the user
is a member of the committee that owns the target project by calling
`is_member_of(project.committee_name)`. As additional protection, the writer
also validates that the project belongs to [...]
+
## Implementation patterns
Authorization checks in ATR follow consistent patterns.
diff --git a/atr/docs/storage-interface.md b/atr/docs/storage-interface.md
index d394275..2901c6d 100644
--- a/atr/docs/storage-interface.md
+++ b/atr/docs/storage-interface.md
@@ -46,6 +46,8 @@ The write session takes an optional
[`Committer`](/ref/atr/web.py:Committer) or
Because projects belong to committees, we provide
[`write.as_project_committee_member(project_name)`](/ref/atr/storage/__init__.py:as_project_committee_member)
and
[`write.as_project_committee_participant(project_name)`](/ref/atr/storage/__init__.py:as_project_committee_participant),
which look up the project's committee and authenticate the user as a member or
participant of that committee. This is convenient when, for example, the URL
provides a project name.
+Some storage writers perform additional authorization validation beyond what
`as_project_committee_member` provides. The check ignores writer, for example,
validates that the target project belongs to the committee for which the user
is authorized. Therefore even if a caller mistakenly passes an incorrect
project name, the writer will reject the operation.
+
Here is a more complete example from
[`api/__init__.py`](/ref/atr/api/__init__.py) that shows the classic three step
pattern:
```python
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
