Additional permissions

[ErisDS]

Related to #2600 and #2264:

003 needs to contain some additional permissions:

• for mail (send, send test)
• for tags (adding, editing, deleting)
• for notifications (browsing, adding, deleting, and possibly fine grained reading of individual instances)

I suggest the following:

Tag

JSON API	Admin	Editor	Author	NoAuth
tag.browse	y	y	y	y
tag.read	y	y	y	y
tag.edit	y	y
tag.add	y	y	y
tag.delete	y	y

Notification

JSON API	Admin	Editor	Author	NoAuth
notification.browse	y
notification.add*	y
notification.delete	y

*add should probably be possible as an internal thing

Mail

JSON API	Admin	Editor	Author	NoAuth
mail.send	y
mail.sendTest	y

[halfdan]

I am having trouble with the Notification permissions.

Once we have multi-user I think it is more than likely that apps would want to show persistent notifications (“Your article foo was published by $editor”). This would mean that notifications need to relate to a certain user. This user should then be allowed to delete the notification (so Admin + me).

Considering the “Please set up an email transport” notification on startup: A notification should only be shown for users in a certain role (in this case only for Admins) - an editor / author would not care about the notification (are they allowed to delete it though?).

I think a similar permission issue may arise with posts: Is an author allowed to delete his own posts (right now the answer is no)? What does an author do when he accidentally created a post - call an editor?

I think it would be beneficial to introduce a self permission for BREAD operations, meaning that I can execute those operations if I created the entity in question. A use-case for this might be for posts: An author cannot read posts unless they are his own.

[sebgie]

I think it would be beneficial to introduce a self permission for BREAD operations, meaning that I can execute those operations if I created the entity in question.

This is already implemented and working (see #2264). An author is allowed to browse, read, edit and delete posts if author == self.

[sebgie]

Additional permissions:

• I think that tags could be allowed to be edited/deleted by the original creator? That would be the same behavior that is implemented for posts?
• mail.send() is not only used by administrators. NoAuth needs to send emails for forgotten passwords. Maybe we need another API end point for forgotten passwords to keep it secure? Editor and Authors don't need to send emails now but I would add the permission so we could allow Apps to send emails with these roles?

[ErisDS]

I think the forgotten password email should count as an internal request?

[sebgie]

I think the forgotten password email should count as an internal request?

Yeah I was thinking the same, otherwise everyone would be able to send emails from your blog. I would introduce a new mail API method (api.mail.sendPasswordReset) for that?

[halfdan]

Why another API method? Can’t we reuse the existing one with { internal: true }?

[sebgie]

Whatever you like best :-).

[ErisDS]

Also moving to MU as it is more relevant there.

[ErisDS]

I made a wiki page to cover all the various permissions: https://github.com/TryGhost/Ghost/wiki/User-Roles-&-Permissions