Permission Rewrite
Issue #51
resolved
Would it be possible to give the User level, access to basic Start / Stop / Restart / Kill functions?
Comments (17)
-
repo owner
-
repo owner
- changed title to Permission Rewrite
-
repo owner
- marked as enhancement
-
repo owner
Sadly, the user role is currently heavily tied to the guest access if a server is set to public. Adding power cycle rights to those would be dangerous for the few of SESM that put their server as public as anyone without login would be able to start/stop/restart and most importantly KILL them ... thois would be a big security hole.
However, if you know some programming language, you should be able to create easily a page that call the SESM API to authenticate and start/stop a server.
-
repo owner
A question for you all :
Do you think you will ever need to affect a permission to a user DIRECTLY (without passing by a role) ?
-
It depends on the roles. : ) If they meet all my use cases, then no I wouldn't need to.
-
repo owner
You will be in any case able to create as many role as you want and affect each permission to one or more role as you please, so, technicly, if you would ever need to affect a specific user a specific permission, you will always be able to create a role where he would be the only member.
More i think of it, more it seem the right way to go, without over doing it.
So it would be something like this :
User <----> Role <----> Permission, where a user can be part of 0 to n roles and a role can have 0 to n permission.
I'm also thinking about some role inheritance, which would allow to easily make something like the current system, without having to add permission to x role each time a new one arose. so if the "user" role have the "manager" role as parent, any permission affected to the "user" role will be available to the manager, etc
One thing also would be to have inheritance int permission, like the SERVER.CONFIG.ENABLECARGOSHIP and SERVER.CONFIG.MAXFLOATINGOBJECTS would be "groupped" under SERVER.CONFIG.*
I'm just throing idead, feel free to comment below
-
I think that if we have customizable roles, it won't take that long to set up and tweak any situation we need. Permissions assigned to users outside of their roles would save some time in testing things, but in the long term it seems much more maintainable to ensure permissions are captured in roles. Role inheritance could help helpful in keeping things DRY, but it seems like it might be a fair amount of work to figure out the best way to display/edit it. Personally I would just shoot for the customizable roles and keep the other features as ideas to collect interest on.
-
repo owner
Another thing to think about would be : in the case of adding some new permissions (for a new module or whatever) what would be SESM behavior? The only reasonable answer I currently have is : nothing, the server admits would have to edit their role to add the permission. Of anyone have a better idea, I'm taking ^^
-
You could let the module decide default permissions for the vanilla roles and a default for any custom ones. Or just default to false yeah.
-
Would it be possible to give the User level, access to basic Start / Stop / Restart / Kill functions? No.
User should only be able to see the status page of the server and hopefully a user list of people on the server. Maybe allow them to see the perf monitor. They shouldn't have access to manipulate the server, thats what the moderator is for. Thats my 2 cents. :)
-
"You will be in any case able to create as many role as you want and affect each permission to one or more role as you please, so, technically, if you would ever need to affect a specific user a specific permission, you will always be able to create a role where he would be the only member."
-
Is this still coming along? Would be very helpful to give select people the ability to restart the server without giving them file access.
-
repo owner
It is still in work, but i currently only have a few hours per week to dedicated to SESM so it is comming rather slowly. the new permission have been implemented in almost all module except the explorer and the auto updaters and the GUI to modify/create/delete the server and host roles is currently in dev.
-
Ok great, thanks for your work here!
-
repo owner
Done in V4
-
repo owner
- changed status to resolved
- Log in to comment
User are meant to be a read-only role, with maybe some chat functionnality when the chat will be implemented, but mostly a "harmless" access to the server.
However, i'm currently rethinking the problem and I think the new big improovement in SESM will be a much needed rewamp of the permission system which have been on hold since the start of the V3 (about november). It's still in the early stages but I hope to be able to do it before the end of May, it will depend on my IRL workload.
As I currently see it, the new permission system will allow to assign role to users as well as individual permission, the permission will be splitted in 2 categories : host wide permissions and server wide permission.
As their name suggest, the first will be to control host functionalities (SE auto update, user managment, server creation, etc...) and the other will be for server functionnalities (start/stop/etc, config changes, etc).
To note that every server wide permission will also exist as a host wide counterpart, which will allow the use of that permission on every server (much like the super admin current powers).
Anyway, it's still in the thinking, I have yet to find a data storage model for this so feel free to comment on this thread if you have ideas/suggestions