embed icon indicating copy to clipboard operation
embed copied to clipboard

Published 20 hours ago • verified publisher icon widgetbot-io

Use role-based permissions instead of user-based

Open MisterVector opened this issue 2 years ago • 3 comments

Is your feature request related to a problem? Please describe. Having to define channel permissions for the widget bot account becomes cumbersome when accounts change. It would be far better to define channel permissions for a group that can be applied to widget bot.

Describe the solution you'd like I would like to be able to define channel permissions for a role (I.E. Web Bot) that I can apply to widget bot. Currently I can only do permissions on the account. If there ever is a situation where the account changes, I don't have to redefine the permissions. I just need to add the bot to that role instead.

Describe alternatives you've considered No alternatives that I can think of. Role-based permissions are easiest.

I've had this conversation on the widgetbot server before, and I was told that only user-based permissions would work because widgetbot only sees what everyone can see.

I've thought about this issue some more since that conversation and here is my assessment. If widgetbot relied on what everyone can see, as well as a role, then adding the role itself to a staff channel would also expose that channel to guests. That wouldn't be good! I would like to propose some changes in order for that to happen:

Add exceptions for roles that will not be accounted for when widgetbot sees if a channel can be accessed by guests. For example, when inviting WidgetBot to a server, it already has the role WidgetBot. If that role is then added as an exception, then adding that role to a staff category, for example, will enable the bot to see the category, but not guests. The WidgetBot role should be added as an exception by default, so there isn't a situation in the future where staff channels get leaked by accident.

Also, it should only be an exception for guests. If you log into the widget with a staff account, then that account should be able to see any staff channels that the WidgetBot role has been added to.

Let me know what you think!

MisterVector avatar Sep 18 '22 21:09 MisterVector

Instead of looking at all of the roles assigned to the bot (which will often include "bots" roles with special permissions), we are working on supporting configuring a "default role" with a bot account, and guests will use that role's permissions instead of the @everyone permissions.

advaith1 avatar Sep 19 '22 00:09 advaith1

Oh, so an allow list of sorts, where everything is disabled until that role is configured. That's pretty cool!

MisterVector avatar Sep 19 '22 04:09 MisterVector

it'll still default to using the @everyone permissions unless you set a role with the command

advaith1 avatar Sep 19 '22 04:09 advaith1