Marketplace user/key management

[mjallday]

Currently you must pass an API key around to give another user access to a marketplace.

Ideally the dashboard would have a screen where you could assign a new user access to the marketplace by referencing their email address.

Bonus points if you could grant them read-only access or access to a subset of data.

[JoeConyers]

+1 would be great to get a read only access account for our client service people. (so they can see who has been paid etc)

[mjallday]

General user management is going to be implemented as part of the marketplace settings page.

Read-only access will be implemented as part of the above referenced balanced-api issue.

[mjallday]

Re-opened and leaving to implement as a separate task. Depends on https://github.com/balanced/injustice/issues/8

[rterwedo]

Being able to gen and revoke api keys form the dash would be great... especially with the prevalence of outsourcing today. I can make them via terminal but how do I revoke? What if I forget them etc? Looking at the dash it would be great to see all keys.

[mjallday]

@dmdj03 can we refine the mock to allow generating new API keys and revoking (deleting) existing ones?

[chadwhitacre]

+1 from me on #975:

I'd like to share access to Gittip's dashboard with @bruceadams, but I'd prefer not to simply give him the credentials for the main Gittip account. I'd prefer to have a main Gittip account and then accounts for both Bruce and I (etc.) that we use day-to-day.

[kyungmin]

Old mock

[kyungmin]

Things to be done

• Update mocks (@dmdj03)
  • update helper text style in the dialog (i.e., move to below the input field)
  • match the button text (invite) to 'Add'
  • add 'pending' state for unconfirmed users
• display “add a user" dialog
• display “marketplace access list” in the settings page
• send confirmation email
• test functionality

[dmdj03]

#971

[dmdj03]

[jkwade]

<3

[dmdj03]

Since managing API keys and users are closely related, it makes more sense to control these settings on the settings page specific to that marketplace.

This mock shows an API key section for adding and removing keys. You can also give your key a name. They're all admin keys, but we'll have read-only keys in the future to restrict access.

[mjallday]

This has been implemented and deployed via #988!!

Go forth and manage those keys :)

[mjallday]

I've moved read-only access off to #1012. We're still working on that!

[dmdj03]

User management

[dmdj03]

@tarunc - I have some feedback on the user management.

1. Include yourself (current user) in the users table (cannot remove yourself though)
2. Remove real-time email validation for the “add user” modal. Show an error message instead (on submit) if “@“ is omitted.
3. Order users table by most recently added to earliest
4. Display date the user was added to the marketplace, not the creation date of the account (assuming the email is already in use)
5. Rearrange the column order of the API Keys and Users table:

API Keys:
"Created" (date)
Key name
API key
Secret

Users:
"Added" (date)
Email

[patcon]

Was directed here from an IRC mention of being able to delegate access to multiple emails:
https://botbot.me/freenode/balanced/msg/12830077/

Just wanted to chime in that API access to user management would be helpful here: gratipay/gratipay.com#2220

Thanks!

[tarunc]

Ping @mjallday Would do you think of the above idea?

[mjallday]

able to delegate access to multiple emails

this should already be possible

API access to user management

this is definitely already possible, it just needs to be documented. this is how the dashboard communicates with auth.balancedpayments.com

[patcon]

Thanks @mjallday! I'll def investigate later. (Assuming the useful info is in the models for user and user_marketplace)

[mjallday]

@patcon none of the auth api is well documented. we never really explored allowing programmatic access to it. it's probably going to get to the point where it makes sense to do this given the discussions you're having.

we're happy to help you answer any questions, given that we haven't put a lot of thought into the auth api as a public resource there are probably a couple (or a lot) of styzes in there so feel free to ping me with questions.