Should a user with manageRoles be able to delete roles that contain settings for permissions that the user does not have?

decent-chat / decent

Open source messaging platform for the modern web

https://meta.decent.chat

GNU General Public License v3.0

21 stars 5 forks source link

Should a user with manageRoles be able to delete roles that contain settings for permissions that the user does not have? #303

Open towerofnix opened 6 years ago

towerofnix commented 6 years ago

I'm leaning towards "no", but I'd like thoughts.

bates64 commented 6 years ago

Is there a 'manageAllRoles' permission, or similar? Otherwise I'd say manageRoles should let you control all manner of roles ie. you're an admin. Not sure how it's currently laid out in the spec though?

bates64 commented 6 years ago

Side Q - @towerofnix does the spec make the _member and _guest (or whatever their names are) roles obvious enough that they will be implemented by default? We should probably declare a default set of permissions for these default roles (that servers should use at init) and say they may not be renamed or deleted.

towerofnix commented 6 years ago

@heyitsmeuralex Updating the docs to make note of the specific permissions given to default roles would be good. In my branch, I've got a roles.js file that contains all default roles.