Replies: 12 comments 7 replies
-
Would there be defaults if no permissions are set? Not syntax related, but if there are no defaults, the author has to set all permissions which would make syntax 1 a bit clearer. While if there are defaults, the user probably have to set less that would make syntax 2 clearer. On a element with My vote go to multiple attributes, and To be consistent I think
|
Beta Was this translation helpful? Give feedback.
-
Would the *nix system type of permissions fit this? |
Beta Was this translation helpful? Give feedback.
-
@joyously many of the common use cases I mentioned wouldn't be possible to define that way. |
Beta Was this translation helpful? Give feedback.
-
I think depending on the Mavo app, it may be confusing to think of the "owner" of each item as a concept, whereas "my own items" is pretty straightforward regardless of the schema. |
Beta Was this translation helpful? Give feedback.
-
A different idea would be to have very very simple attributes (basically yes/no for each permission) and offload the complexity to expressions. Then, we would expose any information needed to implement common permission patterns via special properties in expressions, and update it accordingly upon login/logout. The main drawback is that this would make it much harder to read this server-side and enforce the permissions, without requiring the author to specify them again. It would also make it much harder to automatically transform the permissions to whatever format the backend expects. Attributes could be something like Special properties that need to be exposed in expressions would be:
Then logged in becomes just |
Beta Was this translation helpful? Give feedback.
-
Issues that are blocking this:
Anything else? |
Beta Was this translation helpful? Give feedback.
-
Some more on this, from recent discussions with @karger and some more research. SyntaxAttribute valuesThe two options are:
The obvious advantage of the former is flexibility, the main advantage of the latter is that it can more easily be compiled to various proprietary access control syntaxes of various backends. Perhaps a hybrid might be possible where common types of rules are specified via keywords, and expressions are also available. In terms of common permissions, I did some very preliminary exploration by writing down what permissions that common types of apps need here and it appears that even a language as limited as:
would cover a surprisingly large number of use cases. Attribute namesIt looks like the main permissions are:
It is unclear whether we need a It seems convenient for these to inherit, though not clear if what should inherit should be the expression or the computed value. Enforcing on the server-sideIn terms of enforcing the rules on the server-side, there are two options:
If we go with an expression-based syntax, 1 would be tremendous effort for even just one backend, while 2 is simpler to implement. Note that granular access control can be still useful even if there is no backend (e.g. for localStorage), for better UX, so these attributes should still be available in those backends. How do data actions behave?Use cases:
Both are useful so both should be possible. I think the best solution is that data actions follow existing permissions by default, but we can have a special Special properties per nodeTo enable common types of rules, we need to store the object owner for each object, i.e. the logged in user that created each collection item, and expose it via a special property (e.g. Issue #590 is relevant here too. To enable meaningful rules to be written, we would also need to expose user-related special properties, such as MiscSome more thoughts and questions:
|
Beta Was this translation helpful? Give feedback.
-
Even if "move within collection" is relatively unimportant because collection are often disordered, I expect there will be common cases for move between collections---e.g. moving a file to a different directory. |
Beta Was this translation helpful? Give feedback.
-
Another issue: ratings and polls! Ratings and polls are essentially collections (of votes) that have kind of odd access control characteristics:
One way to describe this with our AC syntax would be to have a collection that can be edited by logged-in users, its items are visible to all but only editable by owner, and the items' individual properties are hidden to everyone but the owner, including the special E.g. something like this for a star rating widget: <p>Average rating: [average(rating.value)]
<div mv-list="rating" mv-can-view="everyone" hidden>
<div mv-list-item mv-can-edit|delete="own">
<meta property="value" />
<meta property="$owner" mv-can-view="own" />
</div>
</div>
<div class="star-rating" mv-list="ratingWidget" mv-value="1 .. 5">
<span mv-list-item mv-action="
delete(rating where $owner = $username),
add(rating, group(value: ratingWidget))">⭐️</span>
</div> Note that in the code above the breakdown of votes is still accessible, it's only who voted that is hidden. However, I'm not sure if authors would be able to figure this out. But what alternative is there? It might be a good idea to just ask user study participants how they would do it, after they've experimented with the existing syntax. |
Beta Was this translation helpful? Give feedback.
-
There are some patterns that keep coming up: Possibly the most common one is a collection where items can be viewed by everybody, added to by logged-in users, but items are only editable by owner (and admins). I wonder if we should have some sort of shortcut for common AC policies. Maybe an |
Beta Was this translation helpful? Give feedback.
-
From yesterday's discussion with @karger: What happens when default permissions are a superset of Mavo permissions? E.g. if using Github as a backend, with a certain user having commit permission. When that user visits the Mavo app, would they have permission to do everything or would the UI follow the permissions specified? Often the As often happens with these things, maybe we should pick a default behavior and have a toggle to switch to the other behavior. |
Beta Was this translation helpful? Give feedback.
-
In the early days of my career I've been working with and administered Lotus Notes/Domino systems and databases. Notes is a NoSQL, document based database similar to MongoDB. Notes is the name of the client app, Domino the database servername. They have the most flexible ACL I've seen so far based on hierarchical Names (LDAP) - explicit or implied - where access control is applied to "forms" or "views" used to
LDAP and hierachical NamesThere's no concept of a "user id" in Lotus Domino thanks to the deep itegration of LDAP canonical names (there are binary .id files that provide encryption keys). If a backend requires such a thing as an "id", it's their responsibility to i.e. translate a "Notes Name" (a hierarchical and unique name like an e-mail address) that's been used in the frontend to authenticate. Being authenticated means that name will then be compared to other hierarchical names known by the app in parts or in full and looked up in groups and list that eventually have been given access privileges to perform predefined actions. Individuals dont have rights: the groups they belong to have. Picture a system run by "acme-corp.net". Inheritance of access levels is implied by the hierarchical names of groups
Only Groups are given rights to perform actions.Individuals (users) should never receive direkt rights in that system incl. the "Adminstrator" who's a default member of a group called You'd create a new ACL group, define what this group should or should not do to something, and put usernames and other groups inside it. The name of that ACL group is then assigned to the thing it should protect or display. There are groups that by definition allow actions and groups that deny actions, but never both. The DepositorNotes also features one particular access level: deposit that I never see in other systems despite it's simplicity and usefulness. $Owner-ship has been transfered while the $Creator is preserved. This ownership transfer is implied in the business model of "sending and email". Every app can have similar ACL transfers implied by some action executed by an authenticated user. Guest is also a UserA Guest is an unauthenticated user and as such can also have access privileges. If I visit any random website, I am usually the Guest with read access. The Guest is not equal to "everybody" or "world", both of which also include authenticated users. A Guest can have explicit rights on their own to some part of an app existing users don't have: most obvious would be "Create new Account." "Edit" never implies "Delete"or create or add for that matter. Delete is a distict right on its own. An application may implicitely grant a user groups to delete what they "most likely" can also edit, but that descision is up to the busines model of the app or its administration. Another example: If you hire someone to bulk add all your todos in yet another todo list, you don't want them to delete one of them without you knowing. No implicit delete right for the $Creator. Third example: If somebody participates in a poll/vote, they can't "pull" their vote back out of the box, Although they created and then added that piece of data, they're not allowed to delete it. Just like you can't remove that stupid mail you sent from their mailbox. Not all items in a system have to necessarily support all possible actions or access level defined. Any (billing) system that maintains a transaction and update log would also prevent an individual who's placing an order to delete this record. The ability to remove all contents from every field of such a record (using one of the edit "forms" that'd allow such a thing), does not imply that the whole item/record vanishes: at least its "record id" would remain in the system, so other data can still refer and link to that possivle buttload of emty fields. Forms and ViewsAnother specialty of Notes are their "forms" and "views". Both contain the ACL that defines what a usergroup can do with the data and input fields a form contains or the fields and columns a view depicts. With Notes being a document database, each document contains a $Form field with the form name used to create the document. That form also defines what fields are stored in that document. A $View field can "suggest" what view should be used to depict the data of documents created with that form. Whenever data is entered into the system (created, updated) it happens via some type of form with its own individual set of fields (properties) and it's individual ACL. A form may define
A view may define
Different forms with different ACLs would be used to create a new item and edit an existing item where some fields might be "raad only" like the "created" and "last update" date fields, the item id, and other editable. Some fields might be changed in content but not become empty again (similar to a "delete field" privilege). This is nothing new nor magical: we all use this schema just without thinking about it on such a granular level.
I hope this was somewhat useful. |
Beta Was this translation helpful? Give feedback.
-
When Mavo started, we were only using flat files to store all Mavo app data remotely, and backends that were basically file stores. Therefore, there was no way of only being able to read/edit part of the data: either you were able to read/edit all of it, or none of it. The set of possible permissions were very small, and Mavo conveniently read it from the backend and applied it to the UI.
This works well for apps where the data is only managed by one person or a small team of people that trust each other, such as PIM apps and CMS-style applications. However, it makes several types of apps impossible, such as:
Thankfully, this restrictive assumption is challenged by new backends like Firebase. This means, there needs to be a way for Mavo authors to describe these granular permissions in their HTML. Ideally, the remote backend would read these permissions, verify them with the admin when they are logged, and set them remotely too. But even backends that require setting permissions separately need to reflect them into the UI somehow. Sure, the Backend could read them remotely, parse them and apply them, but that's an extra step that not all backend authors do.
We've already seen that backend authors tend to expect HTML authors to duplicate the permissions in their HTML, and have to invent their own syntax, which sometimes even goes against best practices:
mv-unauthenticated-permissions="read edit save"
attributepublic-read
,public-write
,user-write
in themv-app
attribute (!).Since this is a common need, we need to devise a syntax for it, and have Mavo process it, apply it in the UI, and expose it to the backends. This will also mean that backend authors are more likely to support granular permissions in that case, as it's much less work for them.
I will start trying to come up with a good syntax with some brainstorming:
Types of permissions
Currently, Mavo supports the following types of permissions:
Currently, Mavo reads these permissions from the backend, and exposes them on an
mv-permissions
attribute on the Mavo root. Themv-permissions
attribute is read-only, and setting it doesn’t do anything.User targets
The following scopes seem most useful, but perhaps I'm missing some:
The last three are probably the most useful, and should be included in even the tiniest MVP of this.
Possibly also combinations of the above, e.g. "logged in users except banned user group".
Potential syntaxes
read: everyone, add: logged-in, edit: own, delete: own
. If a permission is provided without a value, the implied value is "everyone".Name brainstorming for this attribute:
mv-permissions
,mv-can
,mv-enable
mv-can-read="everyone" mv-can-add="logged-in" mv-can-edit="own" mv-can-delete="own"
. If an attribute is used without a value, the implied value is "everyone".In both proposals, undeclared permissions would be inherited.
We need feedback about:
Beta Was this translation helpful? Give feedback.
All reactions