Add our own ACL system that isn't dependant on system users

[Cyberboss]

Requested by @MrStonedOne

[Cyberboss]

I'm thinking we can make this file-based. Doesn't feel right tying something that can get this nested to the DB.

I'm thinking .tgsacl.json in the following format

{
  "Read": [ 1, 2 ],
  "Write": [ 2, 3 ],
  "Admin": [ 2 ]
}

Values are user IDs. Admin is the only way to grant r/w on the acl file.

We can add an instance user perm for all access admin on these files.

TGS itself will handle managing the views through the API. Clients will be responsible for modifying these files. TGS will reject invalid changes to them.

[Cyberboss]

Still requires an API change for the new perm/configuration mode

[MrStonedOne]

that would be annoying to manage without the ability to group them.

User groups will likely have to get tied into this. could do some shit like A/B/C/D for groups or just do group names.

[Cyberboss]

I can definitely see the use of user groups, if only for the regular permission system.

Heck of an API refactor though

[Cyberboss]

Break up the Users table into these

• PermissionSet owned by a User or UserGroup, just the instancemanager/administration right
• UserGroup: No parent/child relations, references a permission set, referenced by many users

Users now either have a permission set or user group

[Cyberboss]

As for the jsons, here's the new format

{
  "Read": {
    "Users": [54,12],
    "Groups": [83]
  },
  "Write": {
    "Users": [54,12],
    "Groups": [42]
  },
  "Admin": {
    "Users": [54,12],
    "Groups": [56]
  }
}

Again, we can manage this on the client side so it's not so dense

[Cyberboss]

Split into #1078 which blocks this