Doc write doesn't set perms so current user can see it

[hunterhacker]

When writing a document Corona should set it so that the current user can read/update/insert/execute the file. Right now Corona can't see the files it's written unless running as admin.

Yeah, probably even execute so you can use Corona to manage your module code.

I'm thinking current user with all their roles is better than just the role corona-dev.

[ryangrimm]

The corona-dev role will be applied by default to all documents being inserted via Corona. Should the user be able to remove any of the corona-dev permissions? (Can remove a permission with a POST request to /store?uri=foo.xml&removePermission=corona-dev:update). Should the corona-dev permission even be reported when fetching a document?

[hunterhacker]

I think all the current user's roles should be applied by default, not just corona-dev (or corona-internal which maybe it'll become). I don't feel strongly about it, just seems sensible.

I think you should be able to remove the permissions if you want. Again, don't feel strongly, just seems like it's not our job to make sure you don't change your files to be read-only. Maybe you want that.

I wonder if we should implicitly give corona-admin extra rights to docs so they could undo damage like that without resorting to full admin rights? I think corona-dev shouldn't be able to remove corona-admin's rights.

I'm OK to report the true honest permissions on things.

[ryangrimm]

Yes, all the users default permissions are applied along with whatever permissions the user specifies.

Excellent point that the user should be able to make a document read-only.

More thought should be given to what the corona-admin user should be able to do and how it relates to corona-dev.