User roles

[brianbest]

Set up a new page named Admin. On this page there should be a list of users, beside each user a way to select the role that they occupy. Only allowed to select one of 3 options, member, admin and owner. Don't worry about styling.

Members are not allowed to access the Admin page Admins and Owner are allowed to see Admin Only Owner can make someone else owner.

The other side thing is I would like the user changes, and the role check to go through node express server so we can put some security rules on this.

[daveriedstra]

addressed in https://github.com/Phasedio/webapp/tree/issue%2335. roles stored in FB/team/[teamname]/roles, where userID = role.

FireBase is accessed through requests to /api/auth/roles, but since FireBase can be accessed by client-side JS it's still not very secure.

Security rules for setting roles are in server/api/auth/auth.controller::setRole(). Rules for accessing /admin are still handled client-side, I'm not sure how to access the current user's id from server/routes.js.

[brianbest]

Sweet, I'll start styling this and getting it into master.

Yeah, sorry I should have explained that part better!!! The Firebase thing is a bit weird but we can assign the server a token and make a rule that basically stays changes can only come from this token. Its not set up yet but when it is client side will get an error when trying to access that side of the app.

[daveriedstra]

new rule for team/$team/roles: ".write" : "auth.origin == 'auth.controller.js'" could be a pattern to check that the incoming data is actually coming from the expected controller. unfortunately the IP address isn't available (and both of these values could be spoofed anyway; I think we're mostly relying on malicious attempts not knowing the security rules)