Reworking user roles grant and admin

[fungilation]

Context: in nhost.toml, standard config for roles.allowed:

[auth.user.roles]
default = 'user'
allowed = ['user']

When roles.allowed includes other roles, such as moderator. "allowed" implies a list that could be granted to users. But no, current behaviour is that any on this list is auto granted to all new users. This is misleading and dangerous, when additional roles is associated with higher permissions, and thus should be only allowed but require explicit (manual) grant to select users.

I suggest reworking this for both nhost.toml and dashboard /users, ex.

Allowed Roles here should instead be a new config for "Granted Roles". Where it list all roles in the auth.roles table, with select toggles on as per what's been granted under the auth.user_roles table.

And then, in dashboard /settings/roles-and-permissions

This actual Allowed Roles list should be just a CRUD interface to config the auth.roles table. Could even just link out to dashboard /database/browser/default/auth/roles

With above, auth.user.roles.allowed in nhost.toml should be deprecated. Grant is per user_roles, and Allowed is all rows in roles tables

[dbarrosop]

Thanks, we will take a look.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[kelkes]

Any progress on that matter? I still run into issues here Because i can't configure the available roles and default assigned roles separately

[dbarrosop]

Because i can't configure the available roles and default assigned roles separately

You can do it today. The proposed changes here are purely UX improvements (much needed to be fair) but functionality-wise it doesn't add anything new.

Basically the way it works today:

1. To configure available roles just manage them in the auth.roles table. Removing/Adding them there will make them available.
2. To configure the default roles assigned to new users, you can set "default allowed roles" in the dashboard or nhost.users.roles.default in the toml.

[kelkes]

The main problem is, that the role is not listed in the User Configuration when it's not in the list of Available roles (altough it's in the table roles)... But when it's in the list, it will be added by default to the user.

I know that it can fix that all via the database.. but my client can not, and they are using the Auth UI to set roles for their users.

[dbarrosop]

The main problem is, that the role is not listed in the User Configuration when it's not in the list of Available roles (altough it's in the table roles)... But when it's in the list, it will be added by default to the user.

Ok, that's a bug in the dashboard then. We are probably fetching the data from the wrong place so that needs fixing.

[dbarrosop]

I created an issue that we will be prioritizing to fix the aforementioned bug. nhost/nhost#3166

[dbarrosop]

I think this issue is mostly solved as I think this issue was mostly due to a confusion introduce by a bug in the dashboard. The way it works is as follows:

[auth.user.roles]
allowed = [ "user", "me" ]

This config basically says that a user can request the roles "user" and "me" during sign up. If the user doesn't request anything we automatically assign all.

Now, the issue was that the dashboard was then using this same "allowed" setting to show which roles a user can be assigned when editing them, which was NOT correct. The dashaboard should've been querying auth.roles table as that's where we store ALL possible roles a user can have. Now that that's been fixed and we are reading the data from the correct place I think this issue can be closed. Thanks to @kelkes for providing some extra information we were missing.

I am closing the issue but feel free to reopen if anyone thinks this issue is not yet solved.