Determine permission model

scottgonzalez / debt

DEBT: Exceptional Bug Tracking

MIT License

5 stars 2 forks source link

Determine permission model #32

Closed scottgonzalez closed 10 years ago

scottgonzalez commented 10 years ago

Probably user, group, world.

scottgonzalez commented 10 years ago

This could be implemented with hierarchical permissions of COMPONENT:ACTION. And action of ADMIN would grant all permissions within the component. A special permission of DEBT:ADMIN would grant all permissions.

The component/action pairs will be managed via code, since the code needs to know about them in order to check which actions can be performed. Granting permissions will happen through the app. On install a single user will be created and granted DEBT:ADMIN.

scottgonzalez commented 10 years ago

Potential permissions:

Admin

DEBT:ADMIN

Ticket

TICKET:CREATE
TICKET:EDIT
TICKET:COMMENT (should this be COMMENT:CREATE?)
TICKET:DELETE
TICKET:ADMIN

Permission

PERMISSION:GRANT
PERMISSION:REVOKE
PERMISSION:ADMIN

Group

GROUP:CREATE
GROUP:DELETE
GROUP:ADMIN

Not sure if comments should have their own permissions or just inherit from tickets.

COMMENT:CREATE
COMMENT:EDIT
COMMENT:DELETE
COMMENT:ADMIN

arschmitz commented 10 years ago

i think comment permissions should just inherit from ticket permissions.

for ticket permissions seems like all you need it ticket:admin, ticket:owner, and ticket:default. Default is create and comment. admin is everything of course, and owner is default plus editing tickets. similar to how github does it.

scottgonzalez commented 10 years ago

GitHub doesn't support deleting tickets, so that would still need to be a permission here.

ticket:owner wouldn't be a permission you grant, it'd be a permission that's automatically given on a per-ticket basis. But that's a good point that there should be inherent item-specific permissions granted to the user who creates the item. This only applies to the specific item created, not everything linked to that item. For example, the reporter of a ticket does not get edit over comments on the ticket (except for the comments which they wrote themselves).

arschmitz commented 10 years ago

for delete of course i just meant a similar model simplifying the permissions might be good. You are also of course right owner would not be something set explicitly it would be based on the ticket and would just added limited abilities ( to close or edit the ticket but not comments )