Enhance permission management on /contacts
Current state
- When somebody creates a entity (device/platform/configuration) he gets added to the contacts
- I'm not quite sure if you already get added if you just log in for the first time (correct me here)
- Everybody who
is logged in
can go toContacts
and- see all contacts
- can edit all contacts
- can delete all contacts
- if the person is referenced by any entity this will fail
Wished behavior
- not everybody can see everybody
- not everybody can edit everybody
- not everybody can delete everybody
Suggestions how to improve the permissions
- I focused on
edit
permissions, because:- I think it is good to view everybody and it would be too complicated to restrict this
- You can't delete anybody associated to an entity by default
- Everybody should be able the create new contacts if they were missing
- general there are two types of
contacts
:- created by
system
(when creating a entity, e.g. device) - created by
other user
- created by
Edit Permission for contacts created by system
- the
super user
(SMS-admin) - the user (
contact
) himself
Edit Permission for contacts created by other user
- the
super user
(SMS-admin) - the
other user
how created thecontact
- the user (
contact
) himself
Requirements
- the database must know who created the contact: the
system
or another user
(and of course the user id)- e.g. table
contacts
gets another columncreated_by
of typestring
(varchar) - possible values would be:
system
- the
user_id
of the user who created the contact
- e.g. table
Edited by Tobias Kuhnert