HTML syntax for granular permissions #318
Description
When Mavo started, we were only using flat files to store all Mavo app data remotely, and backends that were basically file stores. Therefore, there was no way of only being able to read/edit part of the data: either you were able to read/edit all of it, or none of it. The set of possible permissions were very small, and Mavo conveniently read it from the backend and applied it to the UI.
This works well for apps where the data is only managed by one person or a small team of people that trust each other, such as PIM apps and CMS-style applications. However, it makes several types of apps impossible, such as:
- Comments and ratings on collection items (read: public, write: own)
- Surveys (read: admins+own, write: own)
- Chats and discussions of any sort (read: *, write: own)
Thankfully, this restrictive assumption is challenged by new backends like Firebase. This means, there needs to be a way for Mavo authors to describe these granular permissions in their HTML. Ideally, the remote backend would read these permissions, verify them with the admin when they are logged, and set them remotely too. But even backends that require setting permissions separately need to reflect them into the UI somehow. Sure, the Backend could read them remotely, parse them and apply them, but that's an extra step that not all backend authors do.
We've already seen that backend authors tend to expect HTML authors to duplicate the permissions in their HTML, and have to invent their own syntax, which sometimes even goes against best practices:
- @valterkraemer’s Firebase plugin uses a
mv-unauthenticated-permissions="read edit save"attribute - @lizziew’s Firebase plugin expects keywords like
public-read,public-write,user-writein themv-appattribute (!).
Since this is a common need, we need to devise a syntax for it, and have Mavo process it, apply it in the UI, and expose it to the backends. This will also mean that backend authors are more likely to support granular permissions in that case, as it's much less work for them.
I will start trying to come up with a good syntax with some brainstorming:
Types of permissions
Currently, Mavo supports the following types of permissions:
- Read
- Add
- Delete
- Edit (also sets add + delete to true)
- Save
- Login (available only to unauthenticated users on backends that support authentication)
- Logout (available only to authenticated users on backends that support authentication)
Currently, Mavo reads these permissions from the backend, and exposes them on an mv-permissions attribute on the Mavo root. The mv-permissions attribute is read-only, and setting it doesn’t do anything.
User targets
The following scopes seem most useful, but perhaps I'm missing some:
- Nobody
- admins or specific named user group, for backends that support that
- logged in users
- creator of item
- everyone
The last three are probably the most useful, and should be included in even the tiniest MVP of this.
Possibly also combinations of the above, e.g. "logged in users except banned user group".
Potential syntaxes
- We use one attribute whose value is a key-value list, like
read: everyone, add: logged-in, edit: own, delete: own. If a permission is provided without a value, the implied value is "everyone".
Name brainstorming for this attribute:mv-permissions,mv-can,mv-enable - We use separate attributes, e.g.
mv-can-read="everyone" mv-can-add="logged-in" mv-can-edit="own" mv-can-delete="own". If an attribute is used without a value, the implied value is "everyone".
In both proposals, undeclared permissions would be inherited.
We need feedback about:
- Are the user targets above sufficient? Can you think of something else that you need?
- Do you prefer one or multiple attributes? Or perhaps you can think of a different syntax entirely?
- Any ideas about the names of the attributes and/or their values?