solanum
solanum copied to clipboard
solanum-ircd
allow opers to always grant themselves downwards
I figure it's probably not difficult to work back down privset inheritance and, especially for testing purposes, downgrading your privset might be useful
doesn't even need to be inheritance, we can check that a target privset is a subset of your current privset
should this be configurable/can you think of any reason to turn it off?
I'm not sure, but these would be my questions:
- Might other bots make decisions based on the privset name output?
- Would there be a good reason to have two different privsets with the same privs but different names?
- Are we committing to privs always being additive? Could there be a case where having a priv added restricts somehow?
- Can we just allow dropping individual named privileges rather than changing your privset?
- Are there combinations of privs that it would be bad to allow someone to have?
- Would there be a good reason to have two different privsets with the same privs but different names?
I can't think of anything that doesn't seem super contrived
- Are we committing to privs always being additive? Could there be a case where having a priv added restricts somehow?
I think we probably should be. "bad" privs are weird, and given they could only temper other privs (since you can drop all of yours by deopering) I feel like it'd always make sense to refactor to all positive privs.
- Can we just allow dropping individual named privileges rather than changing your privset?
I think this would get pretty messy. Right now privsets are just references, and if we change that we need to decide what's supposed to happen if you edit your privs and then your starting privset is modified.
- Are there combinations of privs that it would be bad to allow someone to have?
I suppose oper:general in combination with many other privs could technically qualify, since it activates parts of them by switching you to OPER_HANDLER (we should get rid of that)