_Originally created by @zen on [#17338 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/17338)_ I haven’t followed previous discussion about this, but there’s the idea of enforcing configuration of Weblate roles (as defined in [the design doc](https://tails.boum.org/contribute/design/translation_platform/translation_platform/#index3h1) through configuration management using Puppet. Roles are: - Anonymous users can suggest. - Logged in users can suggest and vote on suggestions. - Reviewers can accept suggestions. - Admin. The Puppet code created for this might need to be updated when weblate/django’s API changes. Can someone share some background on this discussion? Was it thought to protect against a specific kind of attack or bug? ### Steps for implementing: - [x] Create script that checks for differences between template and actual permissions. - [x] Agree on the desired state and encode it into the YAML file. - [x] Add an option to enforce the config. - [x] Add tests - [x] Add logging - [x] Check/Update documentation - [x] Switch the cron job to enforce the config. - [x] Add Viewers to every user as it is the default by Weblate - [x] Cleanup Puppet code after deploy of renamed resources. ### Related issues - **Blocks** tails/sysadmin#16881