Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reworking user roles grant and admin #491

Open
fungilation opened this issue Mar 22, 2024 · 2 comments
Open

Reworking user roles grant and admin #491

fungilation opened this issue Mar 22, 2024 · 2 comments
Assignees

Comments

@fungilation
Copy link

fungilation commented Mar 22, 2024

Context: in nhost.toml, standard config for roles.allowed:

[auth.user.roles]
default = 'user'
allowed = ['user']

When roles.allowed includes other roles, such as moderator. "allowed" implies a list that could be granted to users. But no, current behaviour is that any on this list is auto granted to all new users. This is misleading and dangerous, when additional roles is associated with higher permissions, and thus should be only allowed but require explicit (manual) grant to select users.

I suggest reworking this for both nhost.toml and dashboard /users, ex.

image

Allowed Roles here should instead be a new config for "Granted Roles". Where it list all roles in the auth.roles table, with select toggles on as per what's been granted under the auth.user_roles table.

And then, in dashboard /settings/roles-and-permissions

image

This actual Allowed Roles list should be just a CRUD interface to config the auth.roles table. Could even just link out to dashboard /database/browser/default/auth/roles

With above, auth.user.roles.allowed in nhost.toml should be deprecated. Grant is per user_roles, and Allowed is all rows in roles tables

@dbarrosop dbarrosop self-assigned this Apr 3, 2024
@dbarrosop
Copy link
Member

Thanks, we will take a look.

Copy link

stale bot commented Sep 30, 2024

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Sep 30, 2024
@dbarrosop dbarrosop removed the stale label Sep 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants