limited authorization for monica user

monicahq / monica

Personal CRM. Remember everything about your friends, family and business relationships.

https://beta.monicahq.com

GNU Affero General Public License v3.0

21.7k stars 2.18k forks source link

limited authorization for monica user #3477

Open coreyoconnor opened 4 years ago

coreyoconnor commented 4 years ago

Is your feature request related to a problem? Please describe.

We have a setup where:

a user A has an assistant B.
Monica is used to managed the contacts for user A.
However, the assistant B is the only who should add/remove contacts ; edit addresses ; contact mechanism details

We'd like user A to still be able to: view ; search ; log events and add notes.

Describe the solution you'd like

Authorization controls on users: either fine grained or a general "read only" level.

Describe alternatives you've considered (optional)

None: Initial investigation only.

Additional context

This is a feature we (DogHeadBone) can invest development time into. We are not blocked by this feature and can implement a temporary solution on our own fork. The general idea of authorization controls is worth careful consideration. Not something we'd like to start on without discussion. :)

I also thought there was an existing ticket for this but my search foo fails me.

djaiss commented 4 years ago

Thanks for this issue @coreyoconnor.

Indeed, this is a tricky subject as it could add a lot of complexity. Permissions is generally a pain. I would like to implement this kind of mechanisms in Monica, but we should make it very simple. The best to make it simple would be to start with 2 levels, as it would give us a sense of how it would work generally.

I don't think we should give users the ability to define what roles can do what in the app. This would make it extremely complex in terms of testing. I suggest that we decide together what types of roles we should have, and then decide for each role what we can do, and implement this. We can't please everyone and therefore we should come to a consensus.

@asbiin what are you thoughts around this?

asbiin commented 4 years ago

This is really interesting feature. However like @djaiss said, it could be really tricky ....

We could have some matrix like:

	Actions 1	Actions 2	Actions 3
Role A	Allow	Allow	Deny
Role B	Deny	Allow	Allow

What is complex here is to define the group of actions, and/or the list of objects it applies to

It might be even more complex if we go for CRUD for each allow/deny action?

What is your approach?

coreyoconnor commented 4 years ago

A note on context: Our client has put a pause on this project so we haven't dug into this any further.

A RBAC system would be ideal but definitely seems complex to define. What are the roles? What are the actions for each role? How is this all managed from a developers perspective?

I haven't studied up on laravel's authorization support, but definitely looks effective for supporting the developer: https://laravel.com/docs/7.x/authorization