Versions Compared

Version Old Version 14 New Version 15
Changes made by

Catalin Tomai

Catalin Tomai

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

WIP

OVERVIEW

...

Code Block
PERMISSION_READ_SETTINGS
PERMISSION_WRITE_SETTINGS
PERMISSION_LIST_PRIVATE_TEAMS
PERMISSION_JOIN_PRIVATE_TEAMS
PERMISSION_READ_SYSCONSOLE_USERMANAGEMENT
PERMISSION_READ_SYSCONSOLE_USERMANAGEMENT_USERS
PERMISSION_WRITE_SYSCONSOLE_USERMANAGEMENT_USERS
PERMISSION_READ_SYSCONSOLE_USERMANAGEMENT_GROUPS
PERMISSION_WRITE_SYSCONSOLE_USERMANAGEMENT_GROUPS
PERMISSION_READ_SYSCONSOLE_USERMANAGEMENT_TEAMS
PERMISSION_WRITE_SYSCONSOLE_USERMANAGEMENT_TEAMS
PERMISSION_READ_SYSCONSOLE_USERMANAGEMENT_CHANNELS
PERMISSION_WRITE_SYSCONSOLE_USERMANAGEMENT_CHANNELS
PERMISSION_READ_SYSCONSOLE_USERMANAGEMENT_PERMISSIONS
PERMISSION_WRITE_SYSCONSOLE_USERMANAGEMENT_PERMISSIONS
PERMISSION_READ_SYSCONSOLE_AUTHENTICATION

Note that, the assumption is that in order to have full access to a resource (System Console section or sub-section) - that is, WRITE permission, the user implicitly needs READ permission, so we would not to assign the READ permission to a role, if the WRITE permission is already assigned (basically WRITE covers READ). That would work in the System Console, however for API calls, the get and set calls are separate, so we need to assign both READ and WRITE permissions to a role: For User Manager role above, for the “User Management” section we could have had only the PERMISSION_READ_SYSCONSOLE_USERMANAGEMENT and PERMISSION_WRITE_SYSCONSOLE_USERMANAGEMENTpermissions. The reason we have more permissions, to subsections, is that in the future we will have variants of this role that will have some of their subsections WRITE permissions removed.

Config.json mappings to permissions

...

Most API calls that were previously gated by the MANAGE_SYSTEM permission are now gated by the READ_* permissions for the get() calls and WRITE_* permission for the create, patch and update calls.
If we need to have more granular access to an API method that corresponds to the functionality of a sub-section in the System Console (like in the User Manager case), we will gate those calls on a case by case (a single panel functionality in the System Console panel can map to one or more API calls).


Permissions

See changes detailed above

Schema

No schema changes

REST API

The following API methods will have their gating functionality changes, as follows:

Performance

No performance degradation expected.

Plugins

CREDITS

Thanks to