Post permissions #3283

ErisDS · 2014-07-16T10:56:58Z

Opening this up a separate issue as there is an extra piece of work here.

Here's the post permissions table:

Posts

Special Rules:

Visibility of posts is determined based on status
Ownership of posts is based on the author property, not created_by. The post's owner has all rights regardless of role.

API Method	Admin	Editor	Author	NoAuth
browse	y	y	y (status == published or author == self)	y (status == published)
read	y	y	y (status == published or author == self)	y (status == published)
edit	y	y	y (author == self)
add	y	y	y
destroy	y	y	y (author == self)

The resulting post config needs to look like:

"post": [
    {
        "name": "Browse posts",
        "action_type": "browse"
    },
    {
        "name": "Read posts",
        "action_type": "read"
    },
    {
        "name": "Edit posts",
        "action_type": "edit"
    },
    {
        "name": "Add posts",
        "action_type": "add"
    },
    {
        "name": "Delete posts",
        "action_type": "destroy"
    }
],
...
"permissions_roles": {
    "Administrator": {
        "db": "all"
    },
    "Editor": {
        "post": "all"
    },
    "Author": {
        "post": "all"
    }
},

The existing post permissions config looks like this:

"post": [
    {
        "name": "Edit posts",
        "action_type": "edit"
    },
    {
        "name": "Remove posts",
        "action_type": "remove"
    },
    {
        "name": "Create posts",
        "action_type": "create"
    }
],
...
"permissions_roles": {
        "Administrator": {
            "post": "all",
        },
        "Editor": {
            "post": "all",
        },
        "Author": {
            "post": ["add"],
        }
}

So this needs amending, browse & read need better handling and we need to be sure that there are full tests for all of the different cases.

The text was updated successfully, but these errors were encountered:

refs TryGhost#3283, refs TryGhost#2739, refs TryGhost#3096 - Renames permissions which didn't follow bread - Adds permissions for notifications, mail and tags Still todo: - wire up the new permissions where they are needed - add permissions for roles

ErisDS · 2014-07-29T03:25:52Z

I have done part of this issue. What is outstanding is:

browse & read need better handling and we need to be sure that there are full tests for all of the different cases.

Not sure about browse and read handling for 0.5, I think this should be punted to 0.5.x and deal with it across all resources.

However, improving test coverage for the Post API is still desired for 0.5

ErisDS · 2015-10-09T17:11:25Z

Labelling all the open permissions related issues (there are several) with both permissions and later as I'm working on a spec to solve the immediate issues as well as a long term plan, which will replace all of these issues.

ErisDS added this to the 0.5 Multi-user milestone Jul 16, 2014

ErisDS added bug labels Jul 16, 2014

ErisDS self-assigned this Jul 16, 2014

ErisDS mentioned this issue Jul 16, 2014

Adding and renaming permissions #3300

Merged

ErisDS removed their assignment Jul 29, 2014

ErisDS modified the milestones: 0.5 Multi-user, 0.5.x Feature Release Jul 30, 2014

ErisDS removed the bug label Aug 26, 2014

ErisDS modified the milestone: Next Backlog Oct 9, 2015

ErisDS added later [triage] Things we intend to work but are not immediate priority permissions labels Oct 9, 2015

ErisDS closed this as completed Oct 9, 2015

ErisDS removed the later [triage] Things we intend to work but are not immediate priority label Jan 23, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Post permissions #3283

Post permissions #3283

ErisDS commented Jul 16, 2014

ErisDS commented Jul 29, 2014

ErisDS commented Oct 9, 2015

Post permissions #3283

Post permissions #3283

Comments

ErisDS commented Jul 16, 2014

Posts

ErisDS commented Jul 29, 2014

ErisDS commented Oct 9, 2015