Permissions

Permission Handling

Modmail-Viewer uses a Role Based Access Control system (RBAC) with the same roles as your modmail bot. For instance, if you assign a user to the Administrator role with modmail, your Modmail-Viewer frontend will reflect this and grant you access to administrator only pages. Modmail-Viewer will always use your highest available role.

In order to grant a user access to Modmail-Viewer, you must first assign them a role, either by manually assigning a role to their discord account, or by giving them a Discord Role which has been set as having a certain modmail role (i.e. a Discord role named "supporter" which you have added to the supporter role group via [p]permissions add level supporter @supporter).

Some endpoints (most API endpoints) require at least admin level permissions. Most of these endpoints do not function when authentication is disabled to prevent easy abuse.

Endpoint Permissions

Below is a table describing the minimum

Endpoint	Role
/logout	Anyone
/	Supporter
/logs/{id}	Supporter
/dashboard	Supporter
/admin	Administrator
/audit/{id}	Administrator
/api/logs/{id}	Supporter
/api/config	Moderator
/api/logs	Administrator

Quirks

NOTE: I will be rewriting authentication entirely for v1. The rewrite will resolve these quirks and allow revocation of tokens (in case of session hijacking, for instance).

There are some potentially important quirks you should keep in mind when configuring your users' permissions.

1. A user's Discord roles are stored within their auth token (a JWT) after login. This means that if you change a user's Discord roles (for instance, making them a moderator), they will need to log out of and back into Modmail-Viewer to gain their new permissions. Modmail roles manually assigned to users are not subject to this.
2. The modmail config may take up to 5 minutes to update.
3. Auth tokens are stateless and not easily revocable. (you may rotate your secret key to invalidate all granted tokens)
4. Authentication is valid for 3 hours from login.