Create roles and permissions #818
Conversation
based authorization Leverages alanning:roles package to associate a user to a role. Uses alanning:roles optional "group" parameter to limit the role's scope to either the global level or room level. The global level is applicable to users that can perform administrative functions. The room level is applicable to users that can perform room specific administrative functions (like a moderator). A role can have zero or more permissions. Permissions and their association to roles are defined by this package Authorization checks are based on whether or not the user has a role or permission. The roles, permissions, and their association are statically defined at this time. Eventually, there should be an API to dynamically create a role and associate it to static permission(s). Old 'isAdmin' and '.admin is true' checks have been replaced with corresponding hasPermission authorization checks. Additionally, code that automatically assigned admin privileges are updated to assign 'admin' role instead. channel/direct message/private group code checks authorization to edit properties (e.g. title) and edit/delete messages (regardless of the system level allow edit/delete settings). - user with 'admin' role are authorized to do anything - room creator is assigned 'moderator' role that can edit the room and edit/delete messages - members can only edit/delete their own messages IF system wide settings permit them to. v19 migration will - add 'admin' role to users with admin:true property - add 'moderator' role scoped to room for room creators - add 'user' role to all users. There are known issues unrelated to the changes made - If a user with edit/delete message room permissions logs out then a user without edit/delete message room permissions logs in, then they will see edit/delete icons. The server will deny execution - edit/delete icons are not reactive Thus if the system level allow edit/delete message setting is toggled, the icons will not reflect it. The server will deny execution.
|
+1 |
|
wow.. looks a lot of work.. congrats and thank you.. let's try it out |
|
I'm baffled at your work!! It looks amazing. I'll test it right away. Thank you very much, @rwakida |
|
WOW! 👍 Just keeping this in sync with base during development must have been an incredibly tedious task! THANK YOU!! @rwakida |
| @@ -18,7 +17,7 @@ Meteor.methods | |||
|
|
|||
| deleteQuery = | |||
| _id: message._id | |||
| deleteQuery['u._id'] = Meteor.userId() if user?.admin isnt true | |||
| #deleteQuery['u._id'] = Meteor.userId() if user?.admin isnt true | |||
There was a problem hiding this comment.
this was an additional check, since message obj is passed by the client, so message?.u?._id could be different from real message stored on db.
There was a problem hiding this comment.
That was before moderators could delete channel messages. We need a different check now.
There was a problem hiding this comment.
@marceloschmidt now is if user is admin or moderator instead if user is admin, but the line is still required to prevent normal users to delete messages from another users.
There was a problem hiding this comment.
Actually, by looking at the code above, we can see that we are already checking for permission:
unless hasPermission or (deleteAllowed and deleteOwn) throw new Meteor.Error 'message-deleting-not-allowed', "[methods] deleteMessage -> Message deleting not allowed"
hasPermission is checking if user is either admin or channel moderator: RocketChat.authz.hasPermission(Meteor.userId(), 'delete-message', message.rid)
Here's the permission:
{ _id: 'delete-message', roles : ['admin', 'site-moderator', 'moderator']}
There was a problem hiding this comment.
ok for unless hasPermission or (deleteAllowed and deleteOwn), the problem is deleteOwn = message?.u?._id is Meteor.userId() that is believing in the user passed to the method.
There was a problem hiding this comment.
I get it, so the user could pass in { _id: original_message_id, u: { _id: hacker_user_id } } and they'd be deleting an arbitrary message. In this case, should we perform a find on rocketchat_message and validate that?
There was a problem hiding this comment.
No, if user is a normal user, just pass user to delete query as the commented code
deleteQuery['u._id'] = Meteor.userId()
There was a problem hiding this comment.
So, deleteQuery['u._id'] = Meteor.userId() unless hasPermission
|
Just a question (i dind't see the code): Can moderator add/delete others moderators? And about
We can put permissons in classes (css), don't? If yes, we can make style hide/show that buttons according to correct permissions. |
|
Reviewed, looks good except by the comments. @AdrianoCahete, for now there is no way to add moderators, is possible but we need an interface for that. About the icons for delete/edit, no, permissions was based on privileges, so admins can delete any message, users can delete only their messages, we only need to refresh the some data when permissions changes. |
This question is just because, if any mod can add/delete any other mods, channel creator needs most privileges than "normal mods". Something like "founder" privilege. But it's just a question for future. :) |
|
@AdrianoCahete, I see, we need to define if channel creator can do something that moderators can't |
|
@sampaiodiego @marceloschmidt @Sing-Li @rodrigok |
|
@rwakida you too work fast, look my conflicts with your changes 😸
|
|
@rwakida what is your username at https://demo.rocket.chat ?? |
|
haha, yeah, thanks @rodrigok for doing the merge. 😃 thanks @engelgabriel! My username is r.wakida. I usually work on RocketChat after work so I don't log on often. are you guys on a lot? |
|
@rwakida we're online most of the time we are awake ;) we're always trying to help others willing to contribute, and there are quite a few that return just for hanging out and chatting with strangers. We found out that it makes a huge difference to have a live demo chat, with all the features, where people can actually see it works by chatting with anybody that's online. |
|
It's a fun environment to be part of in the demo. 👍 You should join us sometime!! |
|
👍 |
|
👍 great community :) |
|
@rwakida 👍 like five nines - 24 x 7 sorta hangout ... Mahalo ! |
|
@Sing-Li nice.. u have connections to Hawaii? ☀️ |
|
@rwakida ... let me see ... switched my email alias to westmakaha ions ago ... regular dreams of spam mushubi, huli huli chicken, and loco moco ... drifting into peaceful nap with Na Leo Pilimehana, Henry Kapono or Brudda Iz ... lining up f at To-Chau .... combing Kalalau for secret road to weed valley... picked guava at Guava Kai ... floating with horny honu galore at Poipu ... hanged out at the good o' Corner Kitchen ... stuffed my face at the Aloha tower Makino Chaya ... fighting for tables and $9 'kona' lobsters @ Fook Yuen... cruising the after hour wahine action at the Ala Moana tiki bar .... Unfortunately, ohana ... no 😄 But I love the islands, its people, and the underlying culture - and wished I can spend A LOT more time there. |
|
Currently the person creating a Channel is assigned Role "moderator" but I can't see anywhere how that person or other people can identify that that person is the moderator (for that Channel). Personally I think that..
Secondly, for what I think is currently the un-used Role of "site-moderator" I think that the current method of assigning "admins" should be extended to assign "site-moderators". That is, Admins can assign "site-moderators". -> new method setSiteModeratorStatus I think we then have a working multi-tier Role system. |
|
I also note that in client/startup/defaultRoomTypes.coffee, we have: |
Create RocketChat authorization package that handles role and permission based authorization
Leverages alanning:roles package to associate a user to a role. Uses
alanning:roles optional "group" parameter to limit the role's scope to
either the global level or room level. The global level is applicable
to users that can perform administrative functions. The room level is
applicable to users that can perform room specific administrative
functions (like a moderator).
A role can have zero or more permissions. Permissions and their
association to roles are defined by this package
Authorization checks are based on whether or not the user has a role or permission.
The roles, permissions, and their association are statically defined at
this time. Eventually, there should be an API to dynamically create a
role and associate it to static permission(s).
Old 'isAdmin' and '.admin is true' checks have been replaced with
corresponding hasPermission authorization checks. Additionally, code
that automatically assigned admin privileges are updated to assign
'admin' role instead.
channel/direct message/private group code checks authorization to edit
properties (e.g. title) and edit/delete messages (regardless of the
system level allow edit/delete settings).
edit/delete messages
settings permit them to.
v19 migration will
There are known issues unrelated to the changes made
edit/delete message room permissions logs in, then they will see
edit/delete icons. The server will deny execution
edit/delete message setting is toggled, the icons will not reflect it.
The server will deny execution.