Skip to content

Commit 79bfffc

Browse files
Half-ShotHalf-Shot
authored
Clarify permission system. (#925)
* Clarify permission system. * Rename 925.docs to 925.doc Signed-off-by: Will Hunt <[email protected]> --------- Signed-off-by: Will Hunt <[email protected]>
1 parent 45060f2 commit 79bfffc

File tree

2 files changed

+23
-5
lines changed

2 files changed

+23
-5
lines changed

changelog.d/925.doc

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
Clarify permissions system documentation.

docs/setup.md

Lines changed: 22 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -123,17 +123,34 @@ Each permission set can have a service. The `service` field can be:
123123
- `challengehound`
124124
- `*`, for any service.
125125

126+
The `level` determines what permissions a user has access to on the named service(s). They are
127+
additive, one level grants all previous levels in addition to previous levels.
128+
126129
The `level` can be:
127130

128131
- `commands` Can run commands within connected rooms, but NOT log in to the bridge.
129-
- `login` All the above, and can also log in to the bridge.
130-
- `notifications` All the above, and can also bridge their notifications.
132+
- `login` All the above, and can also log in to supported networks (such as GitHub, GitLab). This is the minimum level required to invite the bridge to rooms.
133+
- `notifications` All the above, and can also bridge their own notifications. Only supported on GitHub.
131134
- `manageConnections` All the above, and can create and delete connections (either via the provisioner, setup commands, or state events).
132135
- `admin` All permissions. This allows you to perform administrative tasks like deleting connections from all rooms.
133136

134-
When permissions are checked, if a user matches any of the permissions set and one
135-
of those grants the right level for a service, they are allowed access. If none of the
136-
definitions match, they are denied.
137+
If any of the permissions matches positively for a user, they are granted access. For example:
138+
139+
```yaml
140+
permissions:
141+
- actor: example.com
142+
services:
143+
- service: GitHub
144+
level: manageConnections
145+
- actor: "@badapple:example.com"
146+
services:
147+
- service: GitHub
148+
level: login
149+
```
150+
151+
would grant `@badapple:example.com` the right to `manageConnections` for GitHub, even though they
152+
were explicitly named for a lower permission.
153+
137154

138155
#### Example
139156

0 commit comments

Comments
 (0)