move acl from db to config (!1) · Merge requests · immerda / Immerda Apps / iapi

o@ungehorsam.ch requested to merge rewrite_acl into master Jan 07, 2020

also, add a new invite permission to the acl group. a user has the max permission of all his groups. a group can be:

all_with_admin: allows to create any kind of account for all domains
public: allows to create non-protected accounts for public domains

Internally invite permissions are modeled as

{
   (public:      [:user|:admin])?,
   (domain_name: [:user|:admin])*
}

'public' allows one to create invitations for all public domains (ie. all domains which are marked public, when the invitation is consumed). Per-domain permissions are stated explicitly. For both we either allow the creation of any account (:admin) or the creation of only non-protected account names (:user).

More fine-grained permissions are planned, as soon as we have relations between users and domains, such as domain owner, or administrator. We should be able to transparently map those relations to the permissions we use internally.

Edited Jan 07, 2020 by o@ungehorsam.ch

move acl from db to config

Merge request reports