Introduce roles alongside permissions #118
Comments
|
"Owners" is problematic because it determines access rights within Lastuser, while the role will be defined in the database. This means Lastuser will need to be configured to recognise roles specified in the database. |
|
Today's discussion with @rudimk and @shreyas-satish brought up another issue: there is still no way to assign roles at a context more specific than "Organization", so this can't be used to grant access rights within an event in Funnel. Thought: Maybe augment the role assignment with an optional context, a buid string that is relevant to the client alone. This similar to the context in #114 and could perhaps be the same model. |
|
Essentially, this means one can't assign a role that only gives a user access to event A, but not event B, in Funnel. So your idea of augmenting roles with a context, makes sense. But this means the client will have to create these contexts, which is like the problem with creating roles for event A and event B - users probably don't want to be burdened with that sort of thing, unless contexts can be manipulated with an API - then it would work just fine. |
|
Contexts are entirely API driven. There's no UI to them. |
|
Okay. Then I reckon it works out. |
|
Needs scenario analysis. The permission split between Lastuser and client apps has already made it difficult to build decent UI. This shouldn't make it worse. |
|
As discussed in #128 (context objects), app-level roles shouldn't be mixed up with Lastuser roles. We should drop that entirely from the scope of this ticket. This leaves us with a fairly simple role definition: class ROLE(LabeledEnum):
OWNER = (0, 'owner', __("Owner"))
ADMIN = (1, 'admin', __("Admin"))
MEMBER = (2, 'member', __("Member"))
|
|
Role definitions:
|
|
Wow. This was one of the first things we tried to flesh out back in Nov 2014. |
|
If we remove the Members and Owners teams, this may break Flask-Lastuser, which expects userids against them, especially when syncing teams in the client app. |
|
Example from Telegram of permissions attached to a role. If we use this approach, apps can specify additional permissions to Lastuser, which it can include in the UI. |
As discussed in #232: Temporary workaround: every organization has two uuid columns to represent owners and members, and the API passes these on in place of teams; all other teams will be deleted. Roles will be limited to Admin or Member and specified as an admin flag on the org membership model. We'll eschew more elaborate role definition for now while we migrate organisations to Funnel as per #232. |
|
Following from #232, organizations and roles will move into Funnel via hasgeek/funnel#401. This ticket is no longer necessary. Lastuser's code will remain untouched, only marked as deprecated, until client apps have been reoriented to Funnel and the code can be removed. |
The Members team was introduced in #28, but has never gained traction, so is being deleted to aid transition to the direct membership model presented in #151, #118 and #232. The final switch to direct org membership will happen elsewhere, in hasgeek/funnel#401.
Permissions are assigned to users against apps. Roles, OTOH, are assigned to teams within organizations.
Roles potentially replace the hardcoded "Owners" role that exists at the database level.
The text was updated successfully, but these errors were encountered: