To implement an RBAC system, similar to how AWS roles are used.
Add tier-wise roles to every user (admin > moderator > everyone (or no-role)), each users/user ID's is mapped to one of these roles (for persistence during restarts, requires a DB).
Every user invokable function should have some identification (a decorator, perhaps?) - which checks if the invoker has enough permissions to invoke the function. The body of the function itself should only contain the business logic pertaining to that function and not related to permissions.
New roles can be made by creating its decorator function, and adding the role name to the priority list. Role to permission(s) mapping is something to be thought of as well.
Summary
To implement an RBAC system, similar to how AWS roles are used.
Add tier-wise roles to every user (admin > moderator > everyone (or no-role)), each users/user ID's is mapped to one of these roles (for persistence during restarts, requires a DB).
Every user invokable function should have some identification (a decorator, perhaps?) - which checks if the invoker has enough permissions to invoke the function. The body of the function itself should only contain the business logic pertaining to that function and not related to permissions.
Implementation
Examples speak for themselves,
New roles can be made by creating its decorator function, and adding the role name to the priority list. Role to permission(s) mapping is something to be thought of as well.
Additional (optional) enhancements,
/addrole @tag moderator)