nhost
Reworking user roles grant and admin
Context: in nhost.toml, standard config for roles.allowed:
[auth.user.roles]
default = 'user'
allowed = ['user']
When roles.allowed includes other roles, such as moderator. "allowed" implies a list that could be granted to users. But no, current behaviour is that any on this list is auto granted to all new users. This is misleading and dangerous, when additional roles is associated with higher permissions, and thus should be only allowed but require explicit (manual) grant to select users.
I suggest reworking this for both nhost.toml and dashboard /users, ex.
Allowed Roles here should instead be a new config for "Granted Roles". Where it list all roles in the auth.roles table, with select toggles on as per what's been granted under the auth.user_roles table.
And then, in dashboard /settings/roles-and-permissions
This actual Allowed Roles list should be just a CRUD interface to config the auth.roles table. Could even just link out to dashboard /database/browser/default/auth/roles
With above, auth.user.roles.allowed in nhost.toml should be deprecated. Grant is per user_roles, and Allowed is all rows in roles tables
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}