Get details on roles from API

kimai / kimai

Kimai is a web-based multi-user time-tracking application. Works great for everyone: freelancers, companies, organizations - everyone can track their times, generate reports, create invoices and do so much more. SaaS version available at https://www.kimai.cloud

https://www.kimai.org

GNU Affero General Public License v3.0

3.1k stars 543 forks source link

Get details on roles from API #4061

Open AlexandrePTJ opened 1 year ago

AlexandrePTJ commented 1 year ago

Describe the problem

From kemai client, I would like to check if an user can create project/activity/... before sending the request

Describe the solution you'd like

As roles are already part of UserEntity, it may be usefull to get list of associated permissions of a given role

Describe alternatives you've considered

No response

Screenshots

No response

kevinpapst commented 1 year ago

This would leak the internal data structure of Kimai, my gut feeling tells me we should change that. Can you define your requirements, probably as JSON, so we can create an endpoint that is simpler to use and understand?

muxelplexer commented 1 year ago

Currently one can only retrieve the roles of a user without any of the permissions.

I can understand if not all permissions should be publicly available but the create_team, create_customer and create_activity permissions would atleast be needed on the /api/users/me endpoint. For our requirements the current user would suffice.

Maybe a /api/roles endpoint with different amount of returned permissions depending on the current permissions of the user would better fit the general api?

muxelplexer commented 1 year ago

The only way one could currently check the permissions is by sending a invalid request at the create endpoint and checking for a 403. That would be a bit ungraceful though.

kevinpapst commented 1 year ago

Who is behind "our requirements"? I have never see you post here @muxelplexer, so welcome 👋 , but I am intrigued how it comes that you suddenly show up on new issue with an existing requirement.

muxelplexer commented 1 year ago

Ah i'm sorry ^^ I've started working on the permission stuff over on Kemai so i thought i'd give my 2 cents to it :)

Thanks for the welcome

AlexandrePTJ commented 1 year ago

This would leak the internal data structure of Kimai, my gut feeling tells me we should change that. Can you define your requirements, probably as JSON, so we can create an endpoint that is simpler to use and understand?

I understantd. You are right, Kemai do not need to know about all permissions/roles structures. In fact we only need permissions of the current logged user. We already use the /api/users/me endpoint. So maybe a persmissions array can be added in UserEntity:

UserEntity {
...
roles: [strings] // List of role names
permissions: [strings] // List of permission names
}

kevinpapst commented 1 year ago

I cannot simply extend an endpoint with new arbitrary fields. The JSON structure is based on the internal entity structure.

This needs a new endpoint. Maybe a simple map with a list of base permissions:

create_user: bool
create_customer: bool
create_activity: bool
create_project: bool

AlexandrePTJ commented 1 year ago

A new endpoint like /api/permissions/me ? Does this list of base permissions will be a selected subset of permissions available or guessed from actual permissions ?