Open Chieze-Franklin opened 1 year ago
Organisation:
An organisation can be private or public (default).
Viewing an organisation
If the organisation is public then you can view it
If not
If you are a member of the organisation then you can view it
Updating, deleting an organisation (including creating teams and projects)
If you are a member of the organisation and any of the teams you belong to within the organisation has ADMIN privilege then you can view it
Project:
A project can be either private or public.
A project can belong to a user or an organisation.
A project will assume the visibility (private/public) of its parent organisation, if it belongs to an organisation.
A project will be public by default if it belongs to a user.
Behind the scene a default organisation is created for each user. The user is added to a default team within that organisation with ADMIN privilege.
Viewing a project:
If the project is public then you can view it
If the project is private
If the project is a user project
Same as the rules for organisation project because, internally, every project is an organisation project.
If the project is an organisation project
If you are a member of the parent organisation then you can view it
Updating, deleting a project:
If the project is a user project
Same as the rules for organisation project because, internally, every project is an organisation project.
If the project is an organisation project
If you belong to any team that has WRITE privilege on that project or ADMIN privilege then you can update it
Permission:
Team
Privilege (GUEST, READ, WRITE, ADMIN)
Resource
When a user joins an organization, a membership record is created.
The user's role in the org will determine their authorization to perform organizartion-wide actions like adding/removing users, renaming, creating new projects, etc.
When a user joins a team, a team membership is created.
When a user joins a project, a collaboration is created.
Authorizing Org Actions
A user has only one relationship with an org: membership.
When a user tries to perform an action on an org, fetch the single membership that associates the user with the org and check the
membership.role
.Authorizing Project Actions
A user can have multiple relationships with a project. For instance, a user may be added to a project and, at the same time, a team the user belongs to may also be added to the same project. Each addition may have a different permission. A user may also belong to multiple teams which are simultaneously added to a project with different permissions. These possibilities make authorizing project actions a bit more complex.
When a CURRENT_USER tries to perform an ACTION on a PROJECT which requires a PERMISSION:
findTeamMemberships({ user, team, org })