[EPIC][Marketplace] Marketplace Permissions

[spencern]

Permission model for Marketplace.

Tasks

• Permissions should be settable by placing a user into a predefined group ([Marketplace] Permissions should be settable by placing a user into a predefined group #2184)

• Registry should permit group based permission allowance ([Marketplace] Registry should permit group based permission allowance #2185)

• Inviting someone to create a new Shop or Affiliate should automatically grant that user appropriate permissions when registered ([Marketplace] Inviting someone to create a new shop or affiliate shop should automatically grant that user appropriate permissions when registered #2186) (closed by [Marketplace] Inviting someone to create a new shop or affiliate shop should automatically grant that user appropriate permissions when registered #2538)

• Marketplace, Shop, and Affiliate owners should be able to add administrators (Marketplace, Shop, and Affiliate shop owners should be able to add administrators #2187) by Marketplace, Shop, and Affiliate shop owners should be able to add administrators via dashboard #2588

• "Owner" permission should be transferrable to another member of a Marketplace / Shop / Affiliate ([Marketplace] Owner permission should be transferable #2188) (closed by [Marketplace] Owner permission should be transferable #2188 #2609)

• Permission to grant and remove permissions from non-owner users should be grantable ([Marketplace] Permission to grant scoped permissions should be grantable #2189)

• Marketplace and shop owners, and account administrators should be able to view users with permissions ([Marketplace] Marketplace and shop owners, and account administrators should be able to view users with permissions #2190) (Functionally complete, but needs UI work)

• If a user is a member of multiple shops, they should be able to switch permission and shop dashboard contexts (#2191) Solved by [Marketplace] Feature - Dashboards for multiple shops #2429

• Marketplace, Shop, and Affiliate owners should be able to define the default permission set for new shops, affiliates, and admins they invite (#2192) (need to be able to edit default customer & guest groups)

• Users with permission to edit permissions of other users should be able to 'bulk edit' the permissions of users (#2193)

• Owners should be able to create custom permission groups ([Marketplace] Marketplace and Shop owners should be able to create custom permission groups #2194) closed by Accounts dashboard base UI for Feature: "Marketplace and Shop owners should be able to create custom permission groups" #2543 and [Marketplace] Feature - Permissions should be settable by placing a user into a predefined group #2448

• New permissions added to an existing Reaction Commerce app should update existing users permission sets appropriately ([Marketplace] New permissions added to an existing RC app should update existing users permissions appropriately #2195)

• Custom Permission Groups ([Marketplace] Custom Permission Groups #2509) Closed

Docs

• Docs explaining what permissions in RC do and the basics of how they work

• Define default permission levels for each audience

• Define what each permission grants and what possible side-effects are (for each permission in core, also for each permission in included plugins)

• Docs explaining best practices for checking permissions

• Docs explaining best practices for granting permissions (both default and dynamically)

Notes

Possible Permission Groups

• Marketplace Owner
• Marketplace admin
• Shop Owner
• Shop Admin
• Affiliate Shop Owner
• Affiliate Shop Admin
• Customer
• Guest

Some marketplace permissions discussion in issue #357

[spencern]

@impactmass @aaronjudd @zenweasel

Can you guys take a look through these issues and let me know where you think there's enough detail and where there needs to be more detail?

[brent-hoover]

@spencern These seem like they have enough detail but I admit I am still having difficulty wrapping my head around how these all work in tandem with each other (which sort of rights supersede other rights) and how these translate into what a user can and cannot do (e.g. who can see all shops, etc.). I don't know that's really the fault of this doc though. Maybe somebody needs to draw me some pictures or something.

[spencern]

I'll see if I can draw some pretty pictures for what I'm thinking here

[impactmass]

Current thoughts/direction about groups implementation:

• Building on top of our current way of having permissions on Users/Accounts grouped by shop:
• Add a "groups" field into Shop collection. It can be modeled like:

{
  _id: 112334,
  name: "A shop",
  groups: {
    "consultant": ["Create", "Edit"],
    "manager": ["Delete"],
  }
}

• Permissions can then be created (and modified) on "groups" scoped to each shop
• Put an extra "groups" field on users accounts as well. This will carry the label of all the groups the user belongs to. e.g

{
  _id: 112334,
  emails: [],
  roles: [
    "J8Bhq3uTtdgwZx3rz": []
    "otherShopId": []
  ],
  groups: [
    "J8Bhq3uTtdgwZx3rz": [],
    "otherShopId": ["consultant", "manager"]
  ]
}

• This will help when permission in a group gets updated. Users with that permission can get updated as well (while also doing update to ensure remaining group previleges are intact.)

[aaronjudd]

@impactmass this is the general direction I was thinking as well. makes sense to me.

[spencern]

Looks good to me @impactmass.

[spencern]

@impactmass and I just had a discussion on the direction of Permissions and we've decided to focus on the following modifications to the Permissions epic.

• Each user can belong to exactly one group per shop
• From the UI, you can assign permissions to users by assigning a user to a group
• From the UI, you can create 'custom' permissions for users by creating a new group
• Removing a user from a group should reset their permissions and group back to the basic shopper permissions (guest) and remove them from the shop admin accounts/users interface
• Changing a users group should add/remove necessary permissions to match the new group the user is in.

[impactmass]

A note here:
_ Items/tickets that are checked and crossed out are done. Items that are checked, but not crossed have two parts to them: server implementation (which is complete), and UI aspect (still in progress).
_ The UI part (mostly around the Accounts part of admin dashboard and currently in Blaze) is being changed to React while also implementing the new design. Progress on that can be tracked on this WIP PR by @rhenshaw56

[rymorgan]

Adding this here -- here are the latest screens for permission, made a few small updates mentioned here: #2194

Screens:
Intial User Screen- https://zpl.io/Z162xqi
Edit Permissions Screen - https://zpl.io/nVX8n
Edit Groups - https://zpl.io/Zh8Rdn
Add Group - https://zpl.io/ZTEMLM
Edit Owner - https://zpl.io/15nVaK

[spencern]

I'm going to close this as we've completed the essential items, the other items in this list have individual tickets, and it's not on the immediate horizon.