You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
At the moment, the webapp has implemented a notion of role-based access control to various function of the webapp.
We have these roles, in order of ascending levels of capability:
demo_user
"regular_user" -- we don't have a name for this role. It's the role the user has when the user has none of the other roles/capabilities
course_admin (just called admin)
super_admin
These roles are specified for each user in various ways:
You are a demo_user if your users.demo field is a value that Python interprets as True
You are a course_admin if your user has a corresponding row for that course in the admins table
Your are a super_admin if your users.primary_course_id == -1
This design is not likely to be very generalizable over time.
The usual way to do this kind of thing is to implement Role-Based Access Control (RBAC) where there is a model like:
User has Roles
Roles have Permissions (or Capabilities)
Then defining Roles and Permissions is externalized through APIs and UIs and only the Permissions are hard-coded into the app logic. The app code then just has to check the Permissions that are relevant to the specific function being performed rather than keeping track of what Roles might mean over time. We wouldn't have to provide a full UI, either, for managing User/Role/Permission associations if we don't want to, or we could adopt one of the several fairly standard ways to do all this kind of thing.
Anyway, just a thought for the future, and please weigh in on the pros and cons or any other aspect.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
At the moment, the webapp has implemented a notion of role-based access control to various function of the webapp.
We have these roles, in order of ascending levels of capability:
These roles are specified for each user in various ways:
This design is not likely to be very generalizable over time.
The usual way to do this kind of thing is to implement Role-Based Access Control (RBAC) where there is a model like:
Then defining Roles and Permissions is externalized through APIs and UIs and only the Permissions are hard-coded into the app logic. The app code then just has to check the Permissions that are relevant to the specific function being performed rather than keeping track of what Roles might mean over time. We wouldn't have to provide a full UI, either, for managing User/Role/Permission associations if we don't want to, or we could adopt one of the several fairly standard ways to do all this kind of thing.
Anyway, just a thought for the future, and please weigh in on the pros and cons or any other aspect.
Beta Was this translation helpful? Give feedback.
All reactions