JSON API Permissions #2264
Comments
|
This highlights something which has been on my mind but I don't think I've articulated well in the existing issues. The status of a post (published or !published) is incredibly important to permissions. It is also very important that we are able to determine this in this boolean style - 'published' vs 'not published', and that we do not depend on 'published' vs 'draft' because this will fall down when other kinds of statuses like 'queued' come along. Published is effectively a special state of post, only published posts get the special rule of being readable with noAuth. |
|
Hi, Thanks for being awesome :) |
|
Agreed; publishing and unpublishing/deleting posts seems like actions that would be more applicable for an Editor role. |
|
I believe that noAuth will need read access for users in order to get post author info etc? |
|
Hi I think you have missed one final type of user, the authenticated read only user ( or subscriber). These user would not be taking part in any content editing but have a login and access to 'premium content' or other features. Subscribers would have similar permissions to the noAuth but access to users .browse .read .edit. Just a thought. |
|
A subscriber is (should be) merely a role, like any other, so the On 3/8/14, 3:06 PM, Dan wrote:
|
I'm not sure about this one? If noAuth is allowed read access for users, a random visitor of the blog would be able to iterate through the list of users by trying more or less random IDs. In that case even users who have never published a post would be publicly accessible? I think that denying public access to users and adding the author of a post if needed would be a more secretive approach? |
|
Updated: |
|
👍 |
|
Just read through this, overall this is really awesome work @sebgie, really excite to see this included. I do have a few notes however :). Posts I also agree with what others mentioned, an author shouldn't necessarily be able to publish a post without an editor or admin approving or publishing it themselves. Is this addressed? Settings Everything else looks great to me. Not directly on topic but directly related, it may be best to approach this more modular. Instead of allowing for just 4 pre-defined types with set permissions I would venture that we could just offer them as 4 defaults included with Ghost. This means that you'd be able to create a new role and assign permissions in a similar matter to how you outlined them above. It will be more work, but I think easier to implement now than later. |
This is exactly what we are doing? I'm not sure what you would imagine doing differently, but in the fullness of time we fully expect people to create their own roles or edit the existing ones - those in Ghost are just the defaults. |
Good catch, that is not correct 👍.
No, that is not addressed yet. The assumption was that an author is allowed to publish his own posts. @ErisDS / @JohnONolan any thoughts on this?
The reasoning was to allow an author to see the current settings (blog), installed apps (apps) or available themes (theme) without being able to change any of those settings.
I think this is a 0.6 task :-). |
|
FWIW - having a UI for creating new roles, permissions, and advanced publishing workflows where editors are responsible for certain authors etc, is part of 0.8 'magazine features'. In my opinion having authors not able to publish anything at all is a sensible default. Publishing = making something publicly available. I think it makes sense to have a user level who is not admin who can do this, and one who cannot. |
|
Just to clarify, when I wrote of allowing for creating new roles I didn't mean for the UI and that flow to exist in 0.5. What I meant was to create the system to later allow for that. So we don't shoe-horn ourselves into making static definitions and then migrate them to dynamic ones. Just create the architecture for there to eventually be dynamic creation of roles but only allow for 4 pre-set ones at this point. Hope that's a little clearer, and forgive me if I'm repeating what was already intended. |
I understand now what you mean ;-). The permissions and roles are all managed in the database. The static definitions that are in place right now are the default settings that are stored in the database when it first starts. |
|
Dope :D 👍 |
With the use of JSON API it makes sense to grant read access to noAuth to get post author, creator, publisher infos. My original reasoning was to include the user in the post, but as the user is linked now this concept is not working anymore. I have updated the issue. |
closes TryGhost#2264 - added permissions check to db, users and posts - added register method to users - added doesUserExist method to users - added user from session to internal calls - changed permissible to overwrite canThis - removed action map and action type from permissable method
|
This is done on the apps-perms branch |
closes TryGhost#2264 - added permissions check to db, users and posts - added register method to users - added doesUserExist method to users - added user from session to internal calls - changed permissible to overwrite canThis - removed action map and action type from permissable method
Co-authored-by: Renovate Bot <bot@renovateapp.com>
In preparation for #2058, #2059 and #2124 I have summarized a list of roles and their permissions for the JSON API. This is not a complete list of API functions yet.
Roles
Posts
Settings
DB
User
The text was updated successfully, but these errors were encountered: