Authorization system missing

[hryamzik]

I do like this project but I miss roles and permission, anyone could read, anyone authenticated could write – that's frustrating.

[claudioc]

Hi,

what kind of permissions schema would you like to suggest? What's your use case?

Thanks!

[hryamzik]

It could be simple: groups with read only and read-write and no access, ability to place anonymous to 'no access' and to set groups for users already seen by system (authorised).

[chevcast]

I didn't realize this was a missing feature at first. I guess this won't work as a public wiki like I thought. Maybe in the future :)

[cbebry]

One use case I can consider for permissions is the protection against repetitive malicious edits. Is there a way to prevent an identified user from being able to edit? Like a blacklist of some sort perhaps.

[claudioc]

No, at the moment there is no authorisation system in place. It would be easy to hack something (just follow how I use the validMatches in the auth route), but making one that is easy to setup and easy to maintain will open an enourmous pandora box which will make the whole codebase bigger and full of strange corner cases.

Just from the top of my mind:

• we could implement roles (i.e. 'Editor') and permissions (i.e. 'Can edit')
• we then need to find a good way to put people inside the roles (yet another configuration file?)
• once you have put permissions in place, you have the problem to define the what, the subject under the permission: what if you want 'Authors' to only edit the pages they created? Or maybe you want them to only edit the pages in the 'Manual' directory (but Jingo only supports a flat hierarchy)
• what about the roles? Should they be dynamic? So that you define them on what the people with that role can do? Or a role also define the permissions?
• and what if I want a person to have more than one role? A rule should be in place to not overlap inconsistent permissions then

It'd be a really big deal, and I don't see a way to make it in a way that prevents to grow out of the scope of Jingo (which – as I often say – is not thought to be a full blown CMS, but a simple "viewer/editor" of a git repository).

[ghost]

Hej, Claudio :)

I find validMatches to be a good enough way to restrict the write access to the wiki.

May be some kind of granularity would be easy to implement and also would add useful functionality, for Ex. a simple list of (email regular expression, page name regular expression) pairs. This way it would be possible to allow non-admins to change only specific existing pages. Does not solve a bunch of issues, like, what if an editor would like to add a new page etc, but enables for a very specific scenario when I want to let somebody edit my article without risking unauthorized access to the rest of the wiki. And because the page names are also regexes, it would be possible to organize page titles in such a way that the admins could allow write permissions to whole content sections.