pokemon-showdown icon indicating copy to clipboard operation
pokemon-showdown copied to clipboard

Published 20 hours ago verified publisher icon smogon

Fix Auth#isStaff

Open iscke opened this issue 4 years ago • 15 comments

iscke avatar Sep 11 '20 16:09 iscke

how's this?

iscke avatar Sep 12 '20 02:09 iscke

I wonder if it should be an actual permission. We also use lock for a lot of permissions that aren't actually related to locks...

Zarel avatar Sep 12 '20 02:09 Zarel

Alternatively, just do the ^ hardcode, for now?

Zarel avatar Sep 12 '20 02:09 Zarel

having it as a proper permission feels like a misname. what does it give you that you can't already do through Auth#isStaff and setting it manually in config?

(i'm pretty sure this needs a restart to take effect, so i'm not too worried about pushing it through particularly quickly)

iscke avatar Sep 12 '20 02:09 iscke

I think having it in the same place as roomonly makes sense - it's metadata about the group itself, rather than a permission in and of itself.

AnnikaCodes avatar Sep 12 '20 02:09 AnnikaCodes

I think the first question is "what is it used for"? Like lock, I think there's an argument that a lot of those things should be individual permissions.

Zarel avatar Sep 12 '20 05:09 Zarel

If we have time, let's create a list. My recent refactor migrated IP-viewing from ban to ip, which was a good start.

Things left:

  • Viewing private mod actions
  • Autojoining Staff?

Zarel avatar Sep 12 '20 05:09 Zarel

user.isStaff is used for:

  • Viewing private mod actions
  • Autojoining Staff
  • Automatically grant "trusted"
  • use STAFF_THROTTLE rather than regular throttle
  • A quotes permission hardcode which seems unnecessary?
  • Allow certain monitor bypasses
  • Allow use of the helpticket system

Zarel avatar Sep 12 '20 05:09 Zarel

auth.isStaff is used for:

  • STAFF_THROTTLE again
  • trusted user checking
  • chatfilter bypassing
  • a Mafia chatfilter bypass

Zarel avatar Sep 12 '20 05:09 Zarel

'lock' is used for:

  • /lock, /unlock (obviously)
  • people locked users can PM (and a lot of similar exceptions, basically only users who can lock are allowed to interact with locked users)
  • permission to use scripted buttons
  • permission to use <img> tags
  • not allowed to block PMs
  • bypassing hideBattlesFromTrainerCard
  • seeing help for private commands
  • /sharedbattles
  • /showglobalpunishments
  • /globalpunishments
  • seeing hidden roomauth in /userauth
  • punishment notifications (to prevent spam, if someone in a private room roombans/warns someone outside of the private room, it will only notify if the action is done by a global)
  • /unbattleban
  • /renamegroupchat
  • bypassing staff impersonation filter for status message
  • <<view-filters>>
  • /chatlog
  • various helpticket permissions
  • viewing IPs in modlog

Zarel avatar Sep 12 '20 05:09 Zarel

can('mute') is used for:

  • bypassing banwords
  • seeing staffintros
  • seeing punishments in /whois
  • /a lot/ of generic staff-only commands (approvals, show, subroomgroupchats, showing secret subrooms, chatlogs, a lot of room activity commands)
  • /a lot/ of generic moderation commands (hidetext, showblacklist, banwords list)
  • seeing whitelisted users in auth
  • helpfilter
  • getting helpticket notifications (looks like a mistake, honestly)

iscke avatar Sep 12 '20 05:09 iscke

I'm not sure that this is necessary anymore - our current method of determining of isStaff hasn't been subject to any complaints lately.

AnnikaCodes avatar Apr 09 '21 05:04 AnnikaCodes

Our permissions system is still very inconsistent.

Zarel avatar Apr 09 '21 08:04 Zarel

The permissions system is still a hot mess, but the code currently in the PR isn't what will fix that so I've drafted this.

AnnikaCodes avatar Jul 21 '22 04:07 AnnikaCodes

This bug was fixed some time ago and as such, this PR can be closed.

mia-pi-git avatar Jul 21 '22 04:07 mia-pi-git

Mia says its closed, so I'm closing.

monsanto avatar Jan 07 '23 07:01 monsanto