Roles & permissions

[taoeffect]

Problem

Some users will likely need to perform special functions for the group. It's likely that some of these functions should be restricted only to those users with the assigned role to perform them.

Solution

Design a generic role + permissions system, where each user can be assigned a role that comes with certain permissions.

A "role" is a bundle of permissions.

A permission is a string that is internally interpreted by both the UI and the contracts as being allowed to perform certain actions.

Possibly useful stuff:

• https://github.com/leonardovilarinho/vue-acl

[Silver-IT]

@taoeffect, @leihla. Seems like we need design for this.

[SebinSong]

Development Steps

Figma link for the hypothetical UIs: here

Step 1. - Build 'Roles & Permissions' UI with dummy data

Building 'Roles & Permissions' section in 'Group Settings' page, which will look something like below.
(NOTE: below is just an example design and the actual UI might look different from it.)

Step 2. - Build UIs for 'Add/Edit Permissions' with dummy data

This might be building a new modal where the admin user can assign a role to other members or edit their permissions which will be accessed via below call-to-actions.

Step 3. - Implement the functionalities in the group.js contract.

This might require adding a new field in group profile object such as role: { name: string, permissions: string[] } along with various sbp actions for add/edit/remove operations. Also, Integrate these actions into the UIs built in Step 1. and 2.

---

cc. @taoeffect

[SebinSong]

Hi @taoeffect ,

I'm in the middle of defining some roles in a group now, and got a couple of questions regarding the role moderator - delegator we discussed last week.

Q1.
The English phrase 'delegate permissions' doesn't make 100% sense to me yet, tbh. Does it means the ability to add/edit/remove permissions for a group member on behalf of the group administrator?

Q2.
If the answer to Q1. is yes, does it make no sense to have both delegate-permissions and add/edit/remove permissions in permission items of moderator - delegator like below screenshot? Because the phrase 'delegate permissions' means the ability to perform those three actions?

Q3.
Another question is about the difference between moderator - delegator and moderator. We won't allow moderator to perform add/edit/remove permissions for a group member but only give them a permission to view permissions set by the admin. is it correct?

Thanks,

[taoeffect]

The English phrase 'delegate permissions' doesn't make 100% sense to me yet, tbh. Does it means the ability to add/edit/remove permissions for a group member on behalf of the group administrator?

So, the idea I had was that if you were a "delegator", it meant that the admin had trusted you to be able to give whatever permissions you have to other people. It would mean you (as the admin) trust them to decide who else can have these permissions, and it would necessarily imply the ability to remove permissions too.

However, it would not mean that the delegator could delegate the delegate-permission to others. Only the admin would be able to do this. In other words, if the admin granted me moderator (delegator) role, I would only be able to grant moderator permissions to others, but not moderator (delegator). This is something I didn't mention on the call.

This is to prevent the following scenario:

1. Admin grants moderator-delegator to A
2. A grants moderator-delegator to B
3. Admin leaves the group or goes on vacation for a while
4. B removes A's permissions

In that scenario, the moderator-delegator A made a mistake in selecting B as another moderator-delegator and the group gets overthrown. I have personally witnessed this scenario happen.

In other words, a moderator (delegator) cannot create another moderator (delegator), only a moderator. Only the admin can create delegators.

So, I don't think add/edit/remove permissions is necessary here. Just delegate-permissions — which if granted, allows that person to delegate all permissions they have except for delegate-permissions, as well as remove moderator permissions from others.

Hopefully that answers it, but if anything is unclear let me know your doubts/concerns on Slack. :)