etkecc
[Feature Request] Implement Granular, Role-Based Permissions for Secure Room Access
Problem Description
As an administrator of baibot, I've encountered significant challenges with the current user access model when trying to deploy the bot in a multi-user, multi-room environment. The current system presents both operational friction and a potential security vulnerability.
-
Operational Inefficiency: When I invite the bot to a room, other members cannot use it by default(direct @mentions of the bot or quoting/referencing the bot's previous responses or using pre-configured reactions). The only way to grant them access is to add each person individually using
!bai access set-users. This is tedious and does not scale for rooms with many members or fluctuating membership. -
Security Vulnerability via Global Permissions: The
!bai access set-userscommand grants a user global privileges. This means a user whitelisted for one specific room can then invite the bot to any other room. This creates a critical issue: if that user invites the bot to a large, untrusted room, the bot's features are exposed to an unintended audience. The current model lacks a mechanism to contain the bot's usage to specific, administrator-approved rooms.
In short, the existing system forces a choice between tedious manual management and granting overly broad permissions that can be easily misused.
Proposed Solution
To address these issues, I propose a more granular, four-role permission system. This model would provide flexibility for community use while preventing abuse by individual users.
Here is a breakdown of the proposed roles:
1. Global Administrator
- Definition: The super-user defined in the static
config.yamlfile. - Permissions:
- Possesses all administrative permissions across all rooms.
- Manages the appointment of lower-tier roles using commands like:
!bai access set-room-local-agent-managers <user_mxid>!bai access set-users <user_mxid>
2. Room-Local Agent Managers
- Definition: Trusted users appointed by the Administrator, empowered to manage the bot for a specific community or set of rooms.
- Permissions:
- Can invite the bot into new rooms.
- Can use a limited set of room-level administrative commands (e.g., creating and managing agents within that room).
- Crucially, they can control whether the bot is accessible to other members in the room using a new command, for example:
!bai access set-room-users <true|false>.
- Default Behavior: When a
Room-Local Agent Managerinvites the bot to a room, access for other Standard Room Members should default totrue, allowing for immediate community use.
3. Whitelisted Users (!bai access users)
- Definition: Standard users who are granted the privilege to use the bot for themselves, but not to manage it for others.
- Permissions:
- Can invite the bot to any room for personal use only.
- They are the only one in the room (besides other privileged users) who can interact with the bot.
- They have no access to any administrative commands, including creating agents or enabling access for other room members.
- Default Behavior: When a
Whitelisted Userinvites the bot to a room, access for other Standard Room Members defaults tofalseand is unchangeable by them. This is the key security control to prevent abuse.
4. Standard Room Members
- Definition: Any user in a room with the bot who is not in one of the privileged roles above.
- Permissions: Their ability to use the bot's core functions (text, image, voice) is entirely dependent on the room's setting, which is controlled by a
Global Administratoror aRoom-Local Agent Managervia the!bai access set-room-userscommand.
This role-based model would create a secure and flexible framework, empowering community managers while preventing unintended exposure of the bot's capabilities. Thank you for your consideration.
Add one more point: adding a room-level management command for Room-Local Agent Managers: !bai access set-room-users-blacklist, to restrict specific users in the room from using the bot.