Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Basic rights/roles #16

Closed
2 tasks done
michael-fuchs opened this issue Mar 13, 2023 · 1 comment
Closed
2 tasks done

Basic rights/roles #16

michael-fuchs opened this issue Mar 13, 2023 · 1 comment
Assignees
@floscher
Milestone
First releasable ...

Comments

@michael-fuchs
Copy link
Contributor

michael-fuchs commented Mar 13, 2023
edited by floscher
Loading

Folgende Berechtigungen sind vorgesehen:

  • Administration: Zugang zum Admin-Bereich ohne Einschränkung - zunächst User-Verwaltung.
  • Post-Create: Blog-Eintrag anlegen
  • Post-Update: Blog-Eintrag ändern
  • Post-Delete: Blog-Eintrag löschen

Aufgaben:

  • Konzept/Umsetzung zum Speichern der Berechtigungen am User in der DB.
  • Buttons (Client) und Funktionen (Service) nutzen die Funktionen. Bei angemeldeten Benutzern werden die nicht-berechtigten Buttons deaktiviert. Bei nicht-angemeldeten Benutzern werden die Buttons mit Berechtigungen nicht angezeigt.
@floscher floscher added this to the Ready to deploy milestone Mar 15, 2023
@floscher
Copy link
Contributor

floscher commented Mar 16, 2023
edited
Loading

@fumiX/entwickler We have the basic set of permissions as described above:

fuBlog/common/src/entity/permission/UserRolePermissions.ts

Lines 1 to 21 in f52b582

export type UserRolePermissionsType = {
/**
* This is `true` when the user is allowed to give any user additional permissions,
* and also remove their current permissions. Otherwise: `false`.
*/
canEditUserRoles: boolean;
/**
* This is `true` when the user is allowed to create a new blogpost.
* They are additionally allowed to edit those posts, which they created themselves.
* Otherwise: `false`.
*/
canCreatePost: boolean;
/**
* This is `true` when the user is allowed to edit any blogpost. Otherwise: `false`.
*/
canEditPost: boolean;
/**
* This is `true` when the user is allowed to delete any blogpost. Otherwise: `false`.
*/
canDeletePost: boolean;
};

At the moment we also have four roles that each give the user exactly one of these four permissions:

fuBlog/common/src/entity/UserRole.ts

Lines 14 to 31 in f52b582

export const UserRoles: UserRolesType = {
ADMIN: new UserRolePermissions(
"Can change roles of all users", //
{ canEditUserRoles: true },
),
POST_CREATE: new UserRolePermissions(
"Can create a new post and also edit their own posts", //
{ canCreatePost: true },
),
POST_EDIT: new UserRolePermissions(
"Can edit any existing post", //
{ canEditPost: true },
),
POST_DELETE: new UserRolePermissions(
"Can delete any existing post", //
{ canDeletePost: true },
),
} as const;

Now these roles were just meant as a placeholder for a more sensible set of roles. I'd propose these ones:

  • Admin: all permissions (as soon as a user has canEditUserRoles, they could assign themselves any other role anyway)
  • Writer: canCreatePost
  • Editor: canEditPost, canDeletePost

Any comments on this, or other suggestions?

Sidenote: The concept for saving is as follows: In the user table an array of roles is persisted for each user. Both client and server are (without network calls) capable of converting a set of roles into a permission object, which has boolean attributes for what a user with that combination of roles is allowed to do.

@floscher floscher self-assigned this Mar 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@floscher floscher

Labels
None yet
Projects
None yet
Milestone
First releasable version
Development

No branches or pull requests
2 participants
@floscher @michael-fuchs