feat: add Hugging Face org pool access#5
Merged
Conversation
Member
Author
|
Final validation before merge:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Pool admins could only invite individual Hugging Face users.
This change lets admins grant pool access to members of a Hugging Face organization, such as
huggingface, without giving those people repo or dataset permissions.The Space still owns dataset writes, and org-derived app tokens are shorter-lived so org membership changes eventually take effect.
What Changed
Org access is now part of the same pool membership system as individual users.
Admins can add or remove allowed member organizations from the Space Admin tab.
member_orgstoconfig/pool.jsonsnapshots with stable Hugging Face org IDs.orgIdsand parse OAuth userinfo org identities.Testing
I tested the full local gate and production build after the final changes.
The actual Hugging Face browser OAuth consent screen still needs deployed verification because it depends on HF's live OAuth flow.
npm run checknpm run buildRisks
The main behavior is covered by backend and explorer tests.
The remaining risk is HF OAuth provider behavior around
orgIdsin the live consent flow, which cannot be fully simulated locally.