App Permissions

[ErisDS]

Ref: App Ideas Permissions and #2007

We want applications to be able to define the permissions they require to work. These permissions cover api / acl style CRUD permissions on models, like add post, edit user, and also potentially more general permissions on non-objects like 'add route'.

These permissions are used in two ways:

1. for implementing access control throughout Ghost see ACL for Apps #2059
2. to present to the user when installing a theme, to give the user visibility on what an app might be doing.

We need a way for apps to define what permissions it needs. This needs to be accessible throughout the application so that the ACL tools can read & check against them.

User ACL exists in the form of roles, permissions, user_roles, user_permissions, and role_permissions tables in the database.

The first problem that we need to solve is how should apps define their permissions? Is having their own config.js as suggested by App Ideas Permissions the best solution? Or could this be done in package.json?
The main difference being that a .js file can contain JavaScript, and that a package.json has a specified format and is used by other things, so might end up with its own permissions option which would clash.

The second problem is how to make these permissions available to the application. Is loading the permissions object / array into memory enough or should we load these into the database?

As a result of this issue, I'd like to see a defined spec for a basic set of app permissions and how to define them on the wiki, as well as implementing the loading of these permissions in the app loader.

[jgable]

I vote for a standalone permissions.json file or something in the App root that if not present will default to the most restrictive permissions possible (read only posts?). Or, it could just be required and we throw an error if it's not there.

I vote for the structure you mentioned in the App Ideas Permissions link, here is a list of things I can think of off the top of my head:

{
    "posts": ['create', 'edit', 'remove'],
    "users": ['create', 'edit', 'remove']
    "settings": ['create', 'edit', 'remove'],
    "helpers": ['create', 'edit', 'remove'],
    "routes": ['create', 'edit', 'remove']
}

As for storing permissions, we might be able to get away with just storing them in memory since the appProxy is the only thing I can think of that uses them. I envision the app proxy changing to be created for each app uniquely instead of just having one that is passed to all sorta like:

function createAppProxy(permissions) {
  var proxy = {};
  if (_.contains(permissions.filters, 'create')) {
    proxy.filters = { register: filters.registerFilter, ... }
  }

  // etc...

  return proxy;
}

[hswolff]

The first problem that we need to solve is how should apps define their permissions?

My vote is for defining these permissions in the app's package.json file under a special ghost property. I first saw this type of usage in hoodie.

Namespacing all ghost specific values under the ghost property should prevent clashing and will allow us to extend it as we need to without fear.

In package.json

"ghost": {
  "permissions": {
    "posts": ['CRUD'],
    "users": ['CRU'],
    "settings": ['R'],
    "helpers": ['create', 'read', 'update', 'remove'],
    "routes": ['create', 'read', 'update', 'remove']
  }
}

I'd argue against requiring an additional file that defines app properties as it adds necessary weight, complexity, and indirection when creating and installing an app. On the create side there's more files to keep track of and scaffold when starting up. On the Ghost side it's more files that have to be read and included and kept track of.

Maintaining all property definitions of a Ghost app in one file should be the easiest to create and consume.

Also to be semantic, I'd prefer to maintain the words used by CRUD as that is what we're defining. As I showed above you could even allow a short-hand of just using the letters of each permission type.

The second problem is how to make these permissions available to the application. Is loading the permissions object / array into memory enough or should we load these into the database?

I have a vague idea of perhaps using JSON Web Token (JWT) as a way to persist these permissions.

The way I imagine it working is:

1. User installs and activates an app through Ghost admin.
2. A JWT is created for that app which includes their permissions encoded encoded in the JWT. This can be saved in the DB and should be given to the application, as that is how it must sign all of its requests.
3. Whenever the app makes an internal request (or any request) it passes along the JWT which Ghost can then decode to get the raw permissions object that it can use to check if the app has permissions to make that request.
4. Whenever the app is uninstalled the token is made inactive.

[jgable]

On the create side there's more files to keep track of and scaffold when starting up. On the Ghost side it's more files that have to be read and included and kept track of.

I agree. I'd like to change my vote. Only thing I'm worried about is how it may affect potential upgrade scenarios, if we use an npm like update command then would a person be required to bump their package version to update permissions? I mean, I think it's reasonable to have to do that, but just throwing stuff out there.

I'd prefer to maintain the words used by CRUD

We've previously used the BREAD nomenclature (browse, read, edit, add delete), just need someone to deciderize on which and we can stick to it. I do like the idea of shorthand, but would just make it a string without the array around it to more easily distinguish the shorthand being used.

JWT

That seems kind of complex. The only way an App can currently interact with the API is through the proxy object, so I think putting the checks into there is the way to go.

[javorszky]

Hm, would the app permissions be double checked against the user? Sortof like when you're connecting your app to Facebook. "This app wants access to your friends list, personal info, and would ilke to post messages on your behalf, allow or deny?".

[ErisDS]

@javorszky How the permissions get used is discussed here: #2059. Updated the main issue to include this.

[sebgie]

I would second @hswolff suggestion to add a custom ghost object to package.json. It removes the need for another file and allows a developer to keep all necessary settings in one place.

CRUD vs. BREAD
Sorry for introducing another nomenclature. When it comes to consistency, consistency, consistency (see GDK) I would vote for BREAD and use the whole word without abbreviations for now.

From the perspective of permissions for an App developer I'm not sure if there is a big difference between read and browse. So maybe READ would be sufficient? Thoughts?

JWT
I currently don't see the need to generate a signed JWT and store it within Ghost? For our initial implementation the permissions are used to create a proxy object and could be stored there if needed?

[ErisDS]

BREAD 👍

From the perspective of permissions for an App developer I'm not sure if there is a big difference between read and browse. So maybe READ would be sufficient? Thoughts?

I have a question to answer your question: Browse and Read are definitely the same for posts, but are they the same for users? Or settings? I think they probably are... just trying to think of scenarios. Ultimately browse / read are limited by other things though - like type for settings. Going to be interesting to implement that.