Enforce configuration of roles in Weblate

Originally created by @zen on #17338 (Redmine)

I haven’t followed previous discussion about this, but there’s the idea of enforcing configuration of Weblate roles (as defined in the design doc through configuration management using Puppet.

Roles are:

• Anonymous users can suggest.
• Logged in users can suggest and vote on suggestions.
• Reviewers can accept suggestions.
• Admin.

The Puppet code created for this might need to be updated when weblate/django’s API changes.

Can someone share some background on this discussion? Was it thought to protect against a specific kind of attack or bug?

Steps for implementing:

• Create script that checks for differences between template and actual permissions.
• Agree on the desired state and encode it into the YAML file.
• Add an option to enforce the config.
• Add tests
• Add logging
• Check/Update documentation
• Switch the cron job to enforce the config.
• Add Viewers to every user as it is the default by Weblate
• Cleanup Puppet code after deploy of renamed resources.

Related issues

• Blocks tails/sysadmin#16881