Ability to request temporary permissions

[baptiste0928]

Edit:
I would like to clarify the purpose of this suggestion. The goal is not to protect against malicious bots, which could not use this system. The goal is to reduce the incidence of a compromised bot by reducing its attack surface. Even if less common, compromised bots are much more dangerous because they can perform unwanted actions on much more servers.

This will also allow users to better understand why a permission is requested, as it will be requested at the time of the action and not beforehand (useful for servers that have strict control over the permissions granted to bots).

Bot permissions are generally permanently granted unless they are manually changed in role settings. This is bad for security, since a lot of bots asks when added for permissions that can be dangerous if compromised, like manage channels/roles. However, many bots use administrative permissions like these on an ad hoc basis, when a user makes a certain command or for a one-time automatic configuration for example.

To avoid bots from asking for too many permissions in the initial authorization, I suggest a new feature that enables users to simply add permissions to an existing bot without messing with role settings, either temporarily or permanently. This could be done through an in-app popup triggered by a button, or a webpage when asked from a web dashboard or similar.

I made a simple mockup of what it could look like:

This will improve the UX for users over existing solutions (i.e. a message telling users to go to role settings) while improving security with temporary permissions. It will no longer be necessary to ask for these permissions from the start because of the risk of losing users with a complicated process to add them later.

[kingmigdor]

But with manage roles perm or requesting admin perm for 5 minutes or smth, the bot could just create a new role with admin perms and attach it to themselfes...

[baptiste0928]

I updated the description to clarify the goals of this suggestion. It's not about protecting against malicious bots, the goal is to reduce the incidence of compromised bots.

[SkyfallWasTaken]

Couldn't an evil bot just nuke the server or something in 5 minutes? IMO it just gives the user a false sense of security. Personally I'd like to be able to request approval for the specific action (eg. Kick @user, timeout @user2 for 10 minutes) and have the permission granted for that specific action.

[baptiste0928]

I updated the description to clarify the goals of this suggestion. It's not about protecting against malicious bots, the goal is to reduce the incidence of compromised bots.

Personally I'd like to be able to request approval for the specific action

This will make the user experience worse, as these permissions are usually requested on moderation commands with the goal of being run quickly. Imho a system based on the command arguments would be better (giving the permission only for members mentioned in the command) for this use case.

[RealAlphabet]

It won't make things safer, let alone better from a user experience perspective.

I think I understand the idea. Some bots need certain "critical" permissions only to ensure the operation of a single, very little used feature, like applying a server backup.

First, 5 minutes is enough to raid. Second, you can't force bots to use a temporary permission system. Malicious bots will continue to request critical permissions when adding them.

Users should be careful about the permissions they grant. I noticed that you are the author of an anti-raid bot, it is the responsibility of such bots to ensure security against potentially malicious bots in this case.

Being able to change the permissions requested by the bot when it is first authorized would be more appropriate.

[baptiste0928]

Yes, it's useless to protect yourself from malicious bots. The goal is to reduce the incidence of a compromised bot by reducing its attack surface. Giving administrative permissions for one-time actions is a security issue if the permission is not removed, since in the event that the bot is compromised, a malicious actor could use it to destroy the server or perform other unwanted actions. The temporary permissions will greatly reduce this risk for the bots using it.

[RealAlphabet]

Yes, it's useless to protect yourself from malicious bots. The goal is to reduce the incidence of a compromised bot by reducing its attack surface. Giving administrative permissions for one-time actions is a security issue if the permission is not removed, since in the event that the bot is compromised, a malicious actor could use it to destroy the server or perform other unwanted actions. The temporary permissions will greatly reduce this risk for the bots using it.

In this case it is the responsibility of the bot creator. I don't think temporary permissions will help, if a bot is compromised they will still be able to send a private message to all members unless a new explicit permission is created to allow bots to send a private message to members. Which wouldn't be totally useless. If the server is raided there are backup solutions like Xenon for example. The only useful feature that would reduce the incidence of a bot token compromise would be the addition of the IP whitelist system. From what I read they are already adding it. As far as compromising the bot process, no security model related to Discord will help.