Provide a way to allow a user or access token to access a certain repository and nothing else in a project.

[trustin]

Currently, to allow a user or access token to access a certain repository, a project owner must add the user or access token to the project metadata. The user or access token being added can have MEMBER or OWNER role.

Let's say we have the following project structure

• my_proj
  • repo_foo (allows MEMBER access)
  • repo_bar (allows MEMBER access)
  • repo_qux (allows MEMBER access)

.. and the following users:

• alice (role: OWNER)
• bob (role: MEMBER)
• charlie (role: MEMBER)

It is currently not possible to disallow charlie to access other repositories than repo_qux in Central Dogma, because charlie has the MEMBER role. Note the charlie can't have the GUEST role here because a project member is always a MEMBER or a OWNER.

It is also not possible to remove charlie from the project member list, because a user (or access token) must be a member of the project to have the per-repository permissions.

To address this issue, we could:

• Allow granting repository-level permissions to a user or access token even if the user or access token is not a member of the project; or
• Allow assigning the GUEST role when adding a user or access token to the project.

To me it seems like the first option is more intuitive and user-friendly because it sounds odd to have a project 'member' whose role is 'GUEST'.

[trustin]

One way to achieve the same goal at the moment is to:

1. Add charlie as a MEMBER.
2. Remove both READ and WRITE permission of charlie for all repositories except repo_qux.

This is less secure because charlie will have the access to the newly added repositories in the project.