Discover and implement a way to seed and manage permissions properly

HZ-HBO-ICT / it-conference

Official repository for the IT-Conference

https://weareinittogether.nl

MIT License

5 stars 0 forks source link

Discover and implement a way to seed and manage permissions properly #406

Closed v-stamenova closed 1 month ago

v-stamenova commented 2 months ago

To implement this, we need to:

[x] Decide on a naming convention for permissions (i.e. "edit article", "edit-article" or "article-edit")
[x] Design an xml/json/yaml/csv-like format that defines all the roles and permissions for the app, which can be version controlled by Git OR decide if we are creating a roles and permissions config php file in the /config folder
[x] Implement an artisan command (i.e. php artisan permissions:upsert) that synchronizes the roles and permissions in the database with the definition files

Edit: We need to change the term 'upsert' into 'synchronize'. This because upsert will either insert new or update exiting items and does NOT delete items that shouldn't be in the database anymore.

dwaard commented 1 month ago

For the file format, I would suggest a YML, structured like:

# The YML file format allows for comments to be added to the file.
# This makes it possible to add explanations to the file.
# The roles are defined in the roles section of the file.
roles:
  - admin   # The admin role has the highest level of access.
  - editor  # The editor role has the second highest level of access.
  - user    # The user role has the lowest level of access.

# The permissons are grouped per resource and action. 
# The roles that are allowed to perform the action are listed under the action.
permissions:
  article:
    create:
      # defined as an array 
      [admin, editor]
    read:
      [admin, editor, user]
    update:
      # defined as a sequence
      - admin
      - editor
    destroy:
      - admin
  comment:
    create:
      - admin
      - editor
      - user
    read:
      - admin
      - editor
      - user
    update:
      - admin
      - editor
    destroy:
      - admin

Open questions here are:

Do we need more specific permissions than basic CRUDs and how do we cope with this?

dwaard commented 1 month ago

For the naming convention, different examples can be found. It appears to be personal preference. Considerations might be:

Sorting order ("article-destroy" has a more logical sorting order)
Expressiveness ("@can("edit-article", $atricle)") is more expressive

dwaard commented 1 month ago

For the admin command, I suggest to merge this into the UpsertMasterData.php command. and while we are at it, why not transfer all the masterdata into this structure?

dwaard commented 1 month ago

UPDATE: adding more config features, like atomic and resource permissions:

permissions:
  like-page: [editor, user] # an atomic permission
  launch-nuke: [admin] # another atomic permission
  # Next are nested permissions. These are grouped per resource and action.
  article:
    create: [admin, editor] # These roles are defined as an array
    update:
      # These roles are defined as a sequence
      - admin
      - editor
    destroy:
      - admin