WIP: user groups

TODO.md

@@ -37,7 +37,7 @@
 
 - [x] UserWebGUI: activate account with token
 
-- [ ] feat(perms): add groups and roles
+- [x] feat: add groups and roles models
 
 - [ ] UserWebGUI: add TOTP
 - [ ] send emails to users
@@ -48,3 +48,9 @@
 - [ ] AdminWebGUI: List users
 - [ ] AdminWebGUI: Assign groups to users
 - [ ] AdminWebGUI: Create invitation
+
+# Minimal flow
+
+- [ ] Invite user from command line bash script that will edit sqlite
+- [ ] Activation UI
+- [ ] Send email

config.toml

@@ -48,9 +48,28 @@ slug = "basic"
 name = "Basic"
 description = "Basic user"
 default = true
+permissions = []
 
 [[roles]]
 slug = "admin"
 name = "Administrator"
 description = "Full power on organization instance"
+permissions = [
+    "InviteUser", # creation of user
+    "ListUsers",
+    "EnableUser",
+    "DisableUser",
+    "AssignUserGroups"
+]
 
+# [[groups]]
+# slug = "ca_member"
+# name = "G1"
+# description = "Lorem ipsum"
+# roles = []
+
+# [[groups]]
+# slug = "bureau"
+# name = "G2"
+# description = "Lorem ipseum"
+# roles = ["admin"]

docs/draft.md

@@ -3,3 +3,28 @@
 https://datatracker.ietf.org/doc/html/rfc6749
 
 https://stackoverflow.com/questions/79118231/how-to-access-the-axum-request-path-in-a-minijinja-template
+
+# Need for groups and roles
+
+There is two kinds of role
+
+- Role that will be used interllay to the tapp
+- Roles that will be used exteranlly on oauth2 clients.
+
+- For now we only have roles and not groups
+
+## Groups feature
+
+Group will be later used to combine multiple roles.
+
+# [[groups]]
+# slug = "ca_member"
+# name = "G1"
+# description = "Lorem ipsum"
+# roles = []
+
+# [[groups]]
+# slug = "bureau"
+# name = "G2"
+# description = "Lorem ipseum"
+# roles = ["admin"]

src/controllers/ui/register.rs

@@ -47,7 +47,7 @@ pub async fn perform_register(
 
         password_hash,
         status: UserStatus::Active,
-        roles: Json(Vec::new()), // take the default role in the config
+        roles: Json(Vec::new()),
         activation_token: None,
         created_at: Utc::now(),
         website: None,
@@ -93,7 +93,7 @@ pub async fn perform_register(
         StatusCode::OK,
         "pages/register",
         context!(
-            success => true     
+            success => true
         )
     )
 }

src/models/config.rs

@@ -1,3 +1,5 @@
+use std::collections::HashSet;
+
 use fully_pub::fully_pub;
 use serde::{Deserialize, Serialize};
 
@@ -48,6 +50,20 @@ struct Application {
     login_uri: String
 }
 
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Hash, Eq)]
+#[fully_pub]
+enum Permission {
+    ListUsers,
+    DisableUser,
+    EnableUser,
+    VerifyEmail,
+    InviteUser,
+    DeleteUser,
+    ResetUserPassword,
+    AssignUserGroups
+}
+
 #[derive(Debug, Clone, Serialize, Deserialize)]
 #[fully_pub]
 struct Role {
@@ -55,7 +71,8 @@ struct Role {
     name: String,
     description: Option<String>,
     #[serde(default = "_default_true")]
-    default: bool
+    default: bool,
+    permissions: HashSet<Permission>
 }
 
 // todo: Role hierarchy https://en.wikipedia.org/wiki/Role_hierarchy