Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Start permissions overhaul: Define user role permissions in the database #1008

Closed
wants to merge 1 commit into from

Conversation

wrongecho
Copy link
Collaborator

@wrongecho wrongecho commented Aug 26, 2024

This PR creates the database schema required to start defining user roles/permissions via the database. For now all we're doing is adding the fields, they don't actually do anything yet but they will soon.

Once we've got this in place, we can start to add logic on pages to check permissions against the DB rather than directly in the code. This will allow us to be able to offer custom user roles with custom permissions (maybe you want your more senior tech to have full access to client management & the business finances, but not your junior tech).

Very keen to hear your thoughts :)


Module access

Similar to the matrix we've manually defined across the app, but with a few more categories for flexibility.

  • user_role_admin_settings_access - Access to the Admin/Settings pages
  • user_role_clientmgmt_access - General client & contact management
  • user_role_ticketing_access - Ticketing
  • user_role_credential_access - Access to credentials/logins/passwords
  • user_role_sales_access - Selling (e.g. quotes, invoices, etc)
  • user_role_finance_access - Accounting/Finance (payments, transfers, etc)
  • user_role_reporting_access - Access to the reports pages (both financial and technical)
  • user_role_other_access - Catch-all for anything else, reserved for future use

Access levels

I really like the concept of destructive deletes being off by default. Now that archiving/unarchiving is properly implemented in most of the app, I think it's safe to say that 'Write' access can include the ability to archive something. This at least allows a user to partially undo something they added by mistake using their Write access.

  • 0 - No access
  • 1 - Read
  • 2 - Write (Read/Write/Archive)
  • 3 - Full (Read/Write/Archive/Delete)

Related:

Copy link

@wrongecho
Copy link
Collaborator Author

Test these changes at: https://userroles1008.pr-review.itflow.org
(automatic message)

1 similar comment
@wrongecho
Copy link
Collaborator Author

Test these changes at: https://userroles1008.pr-review.itflow.org
(automatic message)

@johnnyq
Copy link
Collaborator

johnnyq commented Aug 26, 2024

I love it @wrongecho and it got me thinking for further extensibility of the permission by taking your single table ideas and merging them into multiple relational tables like so

users
user_id
user_role_id

user_roles
user_role_id
user_role_name
user_role_description
user_role_is_admin (1 or 0) of 1 then access to everything so there is no need to define an actual admin role)

modules
module_id
module_name (Example module_ticket, module_sales)
module_description

user_role_permissions
user_role_id
module_id
permission_level (1 Read (Read), 2 Write (Read, Edit, Archive) / 3 Full (Read Edit Archive Delete) If no row exists then no access is given

Admin will be a defined role but won't need tables rows under user permission as they will automatically have full access

@wrongecho
Copy link
Collaborator Author

Totally on board with it being more modular.

I think we could then replicate user_roles into api_roles and user_role_permissions into api_role_permissions to allow more granular management of API permissions?

@wrongecho wrongecho closed this Aug 27, 2024
wrongecho pushed a commit that referenced this pull request Sep 14, 2024
2nd attempt at this one!
Similar to #1008 but separately defining the roles, modules and associated permissions in the database.
Also has admin being a defined role automatically having full access.

Parent issue: #530
wrongecho pushed a commit that referenced this pull request Sep 14, 2024
2nd attempt at this one!
Similar to #1008 but separately defining the roles, modules and associated permissions in the database.
Also has admin being a defined role automatically having full access.

Parent issue: #530
wrongecho pushed a commit that referenced this pull request Sep 14, 2024
2nd attempt at this one!
Similar to #1008 but separately defining the roles, modules and associated permissions in the database.
Also has admin being a defined role automatically having full access.

Parent issue: #530
@wrongecho wrongecho deleted the user-roles branch December 17, 2024 12:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants