Product Backlog 003: User roles

[MachHach]

Currently there is no user roles / groups / role group / similar authorization groupings.

To implement.

[MachHach]

Initial design

• Models: Users, Groups, Roles, Permissions
• Decomposed models: UserGroups, GroupRoles, RolePermissions
• Access control assignments can only be performed as per model pairing defined above, so for instance, we cannot assign roles to users since we do not define "UserRoles".
• This is intentional to avoid arbitrary permission assignment to users.
• We also need a dedicated Access Control management page for Role Administrators, so that they have a transparent overview of all possible permissions for each user / group / role.
• Example data: Johnny user belongs to Student group, which has ProposalAuthor role (containing Proposal.Create, Proposal.Edit, Proposal.Submit, Proposal.Withdraw permissions).

TODO

• [ ] Create models for access control
• [ ] Seed database
• [ ] Create page for access control management

[MachHach]

Data-specific access control also need to be defined, per case basis.

For example, only related entities of a project group (students and the supervisor(s)) can read that project group's proposals, in addition to the FYP coordinator.

[MachHach]

This can be simplified by leveraging on Laravel's authorization methods.

• Policy for model / resource authorization, doubles as a form of ACL to the models (can also cover the data-specific access control use case).
• Gate for other cases which do not concern about models, e.g. an admin dashboard page.

Note that we still need the authorization models proposed above to allow flexible, runtime adjustments to authorization rules specific to the business logic.