decent Should a user with manageRoles be able to delete roles that contain settings for permissions that the user does not have?

Should a user with manageRoles be able to delete roles that contain settings for permissions that the user does not have?

Open towerofnix opened this issue 7 years ago • 3 comments

I'm leaning towards "no", but I'd like thoughts.

Mar 09 '18 21:03 towerofnix

Is there a 'manageAllRoles' permission, or similar? Otherwise I'd say manageRoles should let you control all manner of roles ie. you're an admin. Not sure how it's currently laid out in the spec though?

Mar 10 '18 00:03 bates64

Side Q - @towerofnix does the spec make the _member and _guest (or whatever their names are) roles obvious enough that they will be implemented by default? We should probably declare a default set of permissions for these default roles (that servers should use at init) and say they may not be renamed or deleted.

Mar 10 '18 00:03 bates64

@heyitsmeuralex Updating the docs to make note of the specific permissions given to default roles would be good. In my branch, I've got a roles.js file that contains all default roles.

Mar 10 '18 01:03 towerofnix

decent decent copied to clipboard

Should a user with manageRoles be able to delete roles that contain settings for permissions that the user does not have?

decent
decent copied to clipboard