search

agnos-cloud / agnos-rest-api

The core API service for Agnos Cloud
1 stars 0 forks source link

Authorisation Management #20

Open Chieze-Franklin opened 1 year ago

Chieze-Franklin commented 1 year ago

When a user joins an organization, a membership record is created.

{
    user,
    org,
    role: "GUEST" | "MEMBER" | "OWNER"
}

The user's role in the org will determine their authorization to perform organizartion-wide actions like adding/removing users, renaming, creating new projects, etc.

When a user joins a team, a team membership is created.

{
    user,
    org,
    team
}

When a user joins a project, a collaboration is created.

{
    org,
    owner,
    ownerType: "USER" | "TEAM"
    project,
    permission: "READ" | "WRITE" | "MANAGE"
}

Authorizing Org Actions

A user has only one relationship with an org: membership.

When a user tries to perform an action on an org, fetch the single membership that associates the user with the org and check the membership.role.

Authorizing Project Actions

A user can have multiple relationships with a project. For instance, a user may be added to a project and, at the same time, a team the user belongs to may also be added to the same project. Each addition may have a different permission. A user may also belong to multiple teams which are simultaneously added to a project with different permissions. These possibilities make authorizing project actions a bit more complex.

When a CURRENT_USER tries to perform an ACTION on a PROJECT which requires a PERMISSION:

Chieze-Franklin commented 1 year ago

OLD NOTE:

Organisation:

An organisation can be private or public (default).

Viewing an organisation

If the organisation is public then you can view it

If not

If you are a member of the organisation then you can view it

Updating, deleting an organisation (including creating teams and projects)

If you are a member of the organisation and any of the teams you belong to within the organisation has ADMIN privilege then you can view it

Project:

A project can be either private or public.

A project can belong to a user or an organisation.

A project will assume the visibility (private/public) of its parent organisation, if it belongs to an organisation.

A project will be public by default if it belongs to a user.

Behind the scene a default organisation is created for each user. The user is added to a default team within that organisation with ADMIN privilege.

Viewing a project:

If the project is public then you can view it

If the project is private

If the project is a user project

Same as the rules for organisation project because, internally, every project is an organisation project.

If the project is an organisation project

If you are a member of the parent organisation then you can view it

Updating, deleting a project:

If the project is a user project

Same as the rules for organisation project because, internally, every project is an organisation project.

If the project is an organisation project

If you belong to any team that has WRITE privilege on that project or ADMIN privilege then you can update it

Permission:

Team

Privilege (GUEST, READ, WRITE, ADMIN)

Resource