web: Rename/alias --capabilities and --capabilities-header #834
Comments
simonmichael
added
web
|
@zarybnicky , here's a very delayed answer, re renaming hledger-web I don't have an opinion on whether it's worth renaming/changing |
simonmichael
added
needs:changes
|
I don't have a strong opinion on naming as long as it's functionally the same. (Sandstorm users never see this!) I definitely agree it would be silly to let a user have manage rights but not view rights, so while it's nice to be able to specify overlapping rights and compose later. (Sandstorm's vision here is that different types of roles may have differing sets of permissions that need to be composed if someone has access to multiple, not just a view/edit/admin distinction.) In a more simple permissions case, I think it makes sense that if you have any of these capabilities, you can view, if you have manage, you can also edit, etc. |
|
I pushed a start at this in the |
|
I don't know how to write Haskell anything. 🤭 |
Is there any point to being able to pick a different name for this HTTP header ? I assume Sandstorm calls it X-Sandstorm-Permissions and nothing else. Is it a common mechanism used by other web apps we want to support ? If not, should we merge this flag with the other one, eg it could be --allow=view|add|edit|sandstorm |
|
Also is the word capabilities important in this context ? I'm inclined to use "permissions". |
|
https://docs.sandstorm.io/en/latest/developing/auth
|
|
@zarybnicky I see you shared thoughts on naming above. I think:
-- do some permissions checking
access <- case capabilitiesHeader_ opts of
Nothing -> return (allow_ opts)
Just h -> do
hs <- fmap (BC.split ',' . snd) . filter ((== h) . fst) . requestHeaders <$> waiRequest
fmap join . for (join hs) $ \x -> case capabilityFromBS x of
Left e -> [] <$ addMessage "" ("Unknown permission: " <> toHtml (BC.unpack e))
Right c -> pure [c] |
|
@simonmichael It's not a security issue because you would only have the header option specified in the case you are using Sandstorm (or another header-based authentication proxy) which is writing to that header. All access to a Sandstorm app goes through Sandstorm, which writes the header. |
|
I see, Sandstorm's http bridge sanitises incoming requests and always sets this header itself, replacing anything a user might try to put there. |
Changes: 1. rename the sandstorm "manage" permission to "edit" (old permission names: view, add, manage; new permission names: view, add, edit). Rationale: "edit" best describes this permission's current powers, to users and to operators. If we ever added more manager-type features we'd want that to be a new permission, not a rename of the existing one (which would change the powers of existing users). 2. rename the sandstorm roles for consistency with permissions (old role names: viewer, editor, manager; new role names: viewer, adder, editor) Rationale: it's needed to avoid confusion. 3. add a new option: --allow=view|add|edit|sandstorm (default: add). 'sandstorm' sets permissions according to the X-Sandstorm-Permissions header. Drop the --capabilities and --capabilities-header options. Rationale: it's simpler and more intuitive. 4. replace "capability" with "permission" in ui/docs/code. Rationale: consistent with the above, more familiar.
Follow-up to #821. [and issuecomment-401393071]
I don't like
capabilitieseither, but it seemed like the best conceptual fit to what it does. There are two problems here - one is the naming, the other is UX.--capabilitiesenables features of the web UI that are available always (unless overridden by--capabilities-header),--capablities-headerspecifies a header (X-Sandstorm-Permissionson Sandstorm), which contains the permissions that the current role can access. We could reuse the Sandstorm terminology and say that the web application started byhledger web --permissions=view,add,managehas the permission to edit the journal in its entirety.--access-levelalso seems to fit.The UX problem is a different one. It is currently possible to start the webapp like
hledger web --capabilities=manage, and the app would be broken (perhaps functional, but with a broken UI). Do we foresee a need for more permissions? (E.g.manage-users,switch-journal)If yes, then there should be built-in roles for the static-permissions case (e.g.
--role admin == --permissions=view,add,manage), so that starting the app with misconfigured permissions is not as easy. If these permissions are all that will ever be needed (if hledger-web's intent is to only be a simple web UI without too many features), then the solution could be same as above, or the permissions/access-levels could be gradual -managewill always imply bothaddandview, andaddwill implyview(a sort of implicit roles)I'm unsure what the best solution here is.
--role,--permissions, and--permissions-headeruses commonly known terminology and is both accessible and extensible. Only--permissionsand--permissions-header(or alternatives) without--rolebut with implicit roles is not as clearly extensible, but would be simpler.(In writing this issue, I almost decided on
--permissions(-P?), which seems to be a better alternative to--capabilities(which is a good conceptual fit but an uncommon term),--access-level(which works but is conceptually closer to role than to permission) or others.)Any thoughts on this? I didn't expect my PR to get merged and immediately released, but I think that in any case, we need to keep
--capabilities{,-header}at least until next release.The text was updated successfully, but these errors were encountered: