Permissions system

[NanoSector]

We'll need to introduce a sophisticated permissions system. I've been looking into a DAC (Discretionary Access Control) based system.

Some points to consider:

• Users can be inside groups (e.g. OPs in a channel, voiced users, banned users, ...). This not only provides a way to check authorization but also a method to for checking if a user exists inside a group. These special groups will need to be checked at runtime as keeping state for them is useless (the bot already knows which users are inside which modes).
• Users can be inside custom groups. Eg. an 'admin' group can be created which will contain all the bot's administrators.
• Permissions may be given according to user identity.

There currently is a very basic permissions system inside the bot but it does not implement DAC properly. (the current system merely checks if the given parameters match any of the criteria objects associated with the permission).

I had some basic rules in mind:

• A group may be any of the groups the user is in.
• Permission may be given if either the group or the user identity matches.

And I also had some potential problems in mind:

• Storage of permission data? Storing PHP objects inside a SQLite database isn't ideal. However, we might be able to store group data based on IRC account when logged in, but this adds the requirement of being logged in to use permissions (which might be a good thing as relying on nicknames is inherently insecure). We could use the Flintstone storage system that is currently included in the bot but this is a plain text system.
• Invalidation of permission data? Once a user quits IRC, any leftover permission data directly related to that user should probably be saved and deleted from memory. (although this data could be re-used if the user logs back on. Any thoughts?)

If anyone has any ideas for pre-existing classes or frameworks for such permissions systems that would be great. Otherwise we'll have to resort to building our own.

[NanoSector]

As an alternative we could just do simple username/password based authentication. The Phrik bot in the Arch Linux channel does so and can match against hostname to verify a user without logging him/her in. This is probably an easier method and more convenient (you can simply map permissions to user accounts).

[NanoSector]

This should be mostly tackled now, I wrote a new system which I will commit in a little bit.

What needs to be done is write up some sensible default groups and permissions. Perhaps have a way to show the permissions in a nice overview.

[NanoSector]

What also still needs to be done is the ability to map groups to channels, maybe.

[NanoSector]

Should be all done :)