Registration of users in a server, ranking

[m-bra]

Registration of users in a server, ranking

Motivation

When someone creates a package, he gets a password from upm (or makes his own).
If he wants to give someone the permission to update the package, he gives him the password.
Now he can update the package and give others the password.
However, it is not possible to give someone only the allowance for updating the package.

How is the maintainer going to permit others to check packages, too?

Summary

User registration

Therefore we have to identify a person to see which rights he got.
Every user has a unique user name and a password. He can specify an email so that upm can reset and send the password.
There can be a maximum number of registrations for each IP.

Package name rank

Now a package name is not locked through one password anymore, it is a bit more complicated.
We are now saying "updating package" for simplicity though "updating package that has package name" would be correct
Every user has a rank for a package name

• users with rank 0 for a package can only read
• Rank 1 can update the package
• Rank X can change the rank of a user with a rank smaller than X to rank smaller than X

E.g. rank 3 can change the rank of an updater (rank 1) to rank 2.
It can, however, not change the rank to 4, bc thats bigger than his own rank. He can also not change the rank of higher users, bc their ranks are bigger than his own.

Rank 2 is like an admin, he can also promote/degrade updaters
and Rank 3 is like a super-admin, who can additionally promote/degrade admins (Rank 2 < Rank 3).
And Rank 4 is like a mega-admin, who can also promote/degrade super-admins (bc Rank 3 < Rank 4).
And Rank 5 is like ...
And Rank X is like a X-admin, who can also degrade (X-1) admins (bc Rank X-1 < Rank X) and (X-2) admins and Y admins if Y < X

The rank of the owner is infinity, he has the power over all the people.

For example:
The owner has some very good friends who will help him with his package. Now, the owner gives them a rank of 3: that means, that they can also add users who have rank 2, which means they can add users too, but those will only be able to update. When the friends trust someone, the owner trusts him too.

O->R3(trust for promoting)->R2(trust for promoting)->R1(trust for updating)
 ->R3(trust for promoting)->R2(trust for promoting)

The owner trusts the people his friends trust (R2), but the trust ends in R1. However, the owner can remove R1, if he wants.

The owner could also have said his friends get the rank 2, so that the users his friends add can only update. In this case he does not trust the friends of his friends entirely.

Note: Only the owner can remove a package for the package-name
Note: Users with a rank higher than 1 can also update a package, of course

Check rank

Every user has a check rank, which determines whether he is allowed to check a package.

• 0 means no permission to check a package.
• 1 means permitted to check a package (i.e. changing the check state of a package).
• X means additionally permitted to change check rank of user that has a rank smaller than X

Server maintainer has rank infinity.

Pattern is the same as with package name ranks.

Advantages

Makes development of packages and maintaining of servers in groups more safe, no, it makes it possible in the first place!
The flexible rank system allows complex permission distribution.

Disadvantages

The rank system may be a little hard to grasp.

Alternatives

Not known.

Unresolved questions

Not known.

Detailed explanation

User registration

There is one file which lists all users with their passwords, email adresses and IP adresses.
Simple key-value mapping.
Registration occurs with a command like upm register <server> <user name> [<email adress>].
The server will then ask for the password twice. Then it will add the username, ip, password and ip address to the list. Unregistering possible.

The IP adresses are used to be able to set a limit of registerations per IP.
The limit is specified by server or will be 3.

The client will remember all registerations made for every server. It will put them in a list which maps servers with a list of user names. List all registerations taken by the client with a command like upm register (without arguments).

The optional email adress is used to be able to reset a password.
A command like upm reset-pass <server> <user name> will change the password to a random string which is sent to the email adress. Used if password forgotten.

A command like upm change-pass <server> <username> will ask for the current password and then for the new password twice.

Package name rank

Every package name has a file, which lists all users who have another rank than 0 to the package name.
Simple key-value mapping.

Command like upm package-rank <server> <package-name> <user> <rank> will change the rank of a user for a package name.
This command will ask for your username and password to verify, and check if your rank is higher than the rank you want the user to become and if your rank is higher than the user's rank.

When a user wants to write to a package, the server will ask for the username and password to verify, and then check if his rank for the package name is high enough to do that.

Check rank

The server has a file were the check rank of every user is denoted.

There is a command to change the check rank of a user: upm set-check-rank <server> <user> <rank>, which will ask for your username and password and check if your rank is higher than the user's rank and than the rank you want the user to set to.

If the check state of a package is to change, upm will ask for username and password to verify.

[m-bra]

As already discussed with @NoahPeeters , one should be able to denote rank-specific rights.

[m-bra]

Also, one should be able to denote that a user is not able to check all but some packages.