Allow bots to manage their own permissions

[applebee1558]

With the sudden release of permissions v2, an important functionality of the Discord API has been removed. Bots are no longer able to manage permissions and must use the Oauth2 API in order to do so. There are multiple reasons why this brings unnecessary burdens and complexities to the end user and bot developer.

While Oauth2 permission managing could be useful for something like a bot's web panel, there are much more reasons a bot would manage its own command permissions outside of a website panel such as syncing a bot's own permission system that everyone already uses with Discord's command permissions v2. Requiring oauth2 for an API feature brings the following complexities.

1. People associate Oauth2 with "giving access" to their account. While adding a bot uses Oauth2, everyone knows that. However, people will find it suspicious that a bot needs "access" to their account again just to change permissions.

2. The Oauth2 screen is additional complexity for a feature that can literally be gated correctly with permissions. If a bot is granted permissions to do certain tasks in a guild, it should be expected that the bot can do it without additional authorizations and redirect loops.

3. Oauth2 tokens do not last forever. They need constant renewal if you want to keep using them. Running an auto-renew script is added complexity along with extra api calls that could be avoided.

4. The Oauth2 user could also be demoted or leave a certain guild, and then another user would need to auth the bot in order to bring back functionality.

I'm not sure why Discord requires Oauth2 for command permissions, as bots have historically always been able to edit things like channel permissions, role permissions, or modify anything on a guild as long as they have permissions. This change completely changes how the API functions and is very inconsistent with how the API works in general.

[erkinalp]

At least allow bots to demote their own permissions without additional auth.

[onerandomusername]

The concerns about this were a bot would be able to change its own permissions without moderators knowing. (Ironically, the rollout of perms v2 made commands that were previously locked now available to everyone)

However, what about a guild-wide or per-app setting in server settings that allows bots to manage their own permissions? If this was floated around internally, why was it denied?

[applebee1558]

If bots could modify them like perms v1 this would mean that a moderator can not stop the developer from changing the commands, which is unlike the rest of the permissions system.

What a bot ultimately does with the command still is dependent on the bot developer. For example, I could send a ephemeral message saying something along the lines of "you do not have permission to use this command"

[quirky-bluejay]

I don't understand why this isn't just gated the same way as users being able to manage command permissions is gated, like most other privileged guild actions (ban, kick, roles, channels, etc).
It seems inconsistent

[nmsturcke]

I completely understand why this is like that, it makes sense that the user has control over the commands that happen in their server.

However, from the Developer's point of view it's very useful and a better way to deal with permissions to access Permissions v2 the same way as a user does.

As mentioned above, a possible solution could be creating a MANAGE_COMMANDS permission for the guild that the bot can request. If the bot is given that permission, it can only manage commands that it created, not others whereas if a user has this permission it can manage all application commands.

[applebee1558]

@nmsturcke

it makes sense that the user has control over the commands that happen in their server

Isn’t it best that the user has control over everything that happens in their server in that sense? Bots can create and manage webhooks, create and manage roles, create and manage channels.

I agree with your manage_commands permission, but I think a bot should be allowed to edit all commands. None of the actions I listed above are locked specifically to what a bot owns or created.

[nmsturcke]

Bots can create and manage webhooks, create and manage roles, create and manage channels.

They can only do so if they're given permission to do so, that's why I think that a MANAGE_COMMANDS permission or similar would keep the uniformity with other actions a bot (and user) can do