Implement Database, Architecture and Permission System

[mariobehling]

• Create all roles and list permissions
• Document all roles and permission in the Readme.md and /docs

Sitewide Roles

• SUPER ADMIN
  • have special panel where can manage every detail of the system, any event, any user - everything (CRUD events, sessions, speakers etc)

Event Specific Roles

• ORGANIZER
  • can edit event/remove
• CO-ORGANIZER
  • can edit event
• TRACK-ORGANIZER
  • can edit tracks
• MODERATOR
  • can see tracks before they are published but not edit them
• SPEAKER Implement Database, Architecture and Permission System #623 (comment)
  • can see his own sessions and edit his own information (but not location for example)
• ANONYMOUS USER
  • can see information of an event that is published

[rafalkowalski]

@aditya1702 do you have any idea how we can prepare a permission list?

[aditya1702]

@rafalkowalski I think we can make use of some frameworks of Flask to achieve this. I will look into it.

[rafalkowalski]

@aditya1702 can i take care of permissions?

[mariobehling]

@rafalkowalski Good idea. Please do.

[rafalkowalski]

@mariobehling can track-organizer edit every tracks or track defined by organizer/co-organizer?

[shivamMg]

@rafalkowalski A Track Organizer would be specific for an Event, i.e. a user can be TO in an Event where he has been assigned as one (by the event creator). The TO should be permitted to edit tracks of only those events where he is a TO in.

[shivamMg]

@rafalkowalski Have you started working on the issue, I would like to help. Or I can take up the issue if you want, you seem to be assigned to a lot of issues.

[aditya1702]

@shivamMg I am also working on the issue. You can help if u want 😄

[shivamMg]

@aditya1702 Would love to help. Are you working on a common branch? 😃

[rafalkowalski]

do you have an idea @shivamMg ?

[mariobehling]

@rafalkowalski

can track-organizer edit every tracks or track defined by organizer/co-organizer?

A track organizer needs to be assigned to a specific track to be able to edit the track. But, a track organizer can also be added to several tracks.

Could you please document a list what each role is allowed to do.

[rafalkowalski]

@shivamMg @aditya1702
I've found below solutions, if you have another please add it here.
We need to choose the best. I like this one https://github.com/hustlzp/permission 👍 Easy way to create rules :D
RBAC
https://flask-rbac.readthedocs.io/en/latest/
https://github.com/tonyseek/simple-rbac

Permissions
https://github.com/raddevon/flask-permissions
https://github.com/hustlzp/permission

[mariobehling]

@rafalkowalski Please also regard the activity of the project, number of contributors and latest dates of commits.
simple-rbac, 3 contributors, last commit March 29
flask permissions, 3 contributors, Jan 29, 2015
hustlzp/permission, 2 contrib, 12 Nov, 2015
https://github.com/shonenada/flask-rbac, updated on April 25

[shivamMg]

@mariobehling We are working on a custom solution for this. Extensions might require a lot of tinkering to make them suitable for our purpose.

[mariobehling]

@shivamMg 👍
@leto Any input/ideas about this?

[rafalkowalski]

@mariobehling custom solution will be the best option for us, because our permission model isn't a standard

[mariobehling]

@rafalkowalski Ok, makes sense. Thank you!

[mariobehling]

This issue is really starting to be urgent as it is blocking other features.

[shivamMg]

I put some thought into the Speaker role, and we might not need it. The Speaker role requires two permissions, one editing his own info (Speaker model he created) and other reading the Session he sent proposal for.

After a user sends a Speaker proposal we can associate that Speaker model with the user. And after it has been accepted, only the associated user will be given permission to edit the info, so restricting access only to that user. And since we already know what Session a Speaker model is related to, we can define reading restrictions for it.

As for why Speaker can't be an event specific role, it requires access to just a specific instance of a service (speaker) inside an event. Where as we define permissions for a service as a whole.

So we will implement the SPEAKER role using the Speaker model itself.

[mariobehling]

Please check if other use cases are relevant here too e.g.:

• There could be several speakers of one session who could edit their session
• This is probably not directly relevant to the speaker role, but should be kept in mind: Organizers and track organizers will probably edit the sessions speaker submitted as well.

[shivamMg]

There could be several speakers of one session who could edit their session

But the speakers are not allowed to edit sessions. They can only see their own sessions. Quoting from the main description above:

SPEAKER
can see his own sessions and edit his own information (but not location for example)

[mariobehling]

Yes, speakers can change for example their abstract. And also if several speakers have the same session they can all edit the session.

[shivamMg]

Implement Speaker role though models: #955