PlanarAlly
PlanarAlly copied to clipboard
Permission/Role system
Originally posted by @Goury in https://github.com/Kruptein/PlanarAlly/issues/118#issuecomment-531528861
I'd very much like to see this application requiring an email address on registration, requiring administrative approval and activation of an account (and also to grant session creation permission) and also some way to restore a lost password using email. And also a way to lock registrations and allow administrators to make some accounts.
I'd like to propose these modes to be configurable via server config file. I'd like to propose following role groups: administrators, DMs, players. Administrators should be able to do stuff like role and access management. DMs should be able to DM a session (not necessarily to create one, also limit the amount of sessions per DM would be nice). Player should be able to move tokens and to do some stuff on a map (like draw, if allowed). Account without a role should behave like a spectator.
Also it should be possible to grand someone a permission to grant permissions to others, like this leveled variants:
- Can grant others permission to do some stull
- Can grant others permission to grant this permission
- Can grant others permission to grant permission to grant this permission
Example: admin grants permission to DM a session to someone. DM shouldn't be able make other DMs (unless he should). DM should be allowed to grant players permission to draw on map. Players who can draw shouldn't be able to grant the same permission to other players.
Tl; dr: Serious access management is what we need to make this software to the next level, role-and-permission based.
Trying to get a list down for this, I'm still pretty new to the code base so bare with me.
- Create
RoomRole
model, to dictate roles by enabled flags. - Expand
PlayerRoom
to have role, foreign keyed to RoomRole
That'd handle the room/campaign permissions. For admin roles and what not potentially;
- Create
UserRole
model, dictate admin, dm, player, spectator - Expand
User
to have new role based offUserRole
- Expand user API to get roles off of this
Then from there there would need to be some new admin management menus. Being able to list all users and adjust their roles on the server, things like that.
From there there could be a default configuration file that gets loaded when the server-side initializes. Something like default room role, default user role.
As far as email registration I'm not sure the best approach. I don't think all self-hosters have SMTP to use, is there some sort of free service that could be used as default? Or perhaps managed by the planarally.io domain? Just spitballing on this one.
Looks good to me.
Regarding email, I don't think it should be something we hardcode like a mail.planarally.io. I would instead opt for the option to configure a mailserver address in the server configuration, so that each hoster can choose for themselves how they want to handle mail. In that regard the server config should also be expanded to have something like requireEmailSignup
etc, but that is ultimately out of scope for this issue imo.
Curious where you're at on this @Kruptein.
If you're actively working on it I don't want to collide with what you're doing. If you are working on it, is there something I can do to help? I think this is something I'd like to try and tackle.
Oh I somehow assumed you were actually working on this :D So no I have not progressed on this
That's funny, I thought you added it to in progress because you were working on it.
I'll get to work, then!
So I kinda happen to have implemented some of the above due to having a need for it for my location changes that were just merged.
In the past you had Room.creator which refers to the player who is DM and Room.players which was a collection of PlayerRoom objects that refer to the players.
Now the PlayerRoom will also include the DM and an additional column has been added that is 'role' and is currently an integer (player=0, dm=1, spectator=2)