[EPIC] Minimal role and permission management
[EPIC] Role and Permission Management (#77)
Parent Epic:For the 1.0 release we want a minimal implementation of these three user groups/roles:
- Admin/superuser: Identified by checked superuser flag in Django backend)
- Programme coordinator: This groups holds almost all permissions strings, except the ones for Django administration and the radio station administration area in Dashboard.
- Host: There are two groups identifying the host role 1.) "host" and 2.) "host+". They are only containers for a different default set of permission strings.
As a basis we use Django Role & Permission management and expose them via the API. Dashboard gets a set of permissions per user role, assigned to the user object.
This initial set of permissions does not reflect all details of all radio stations. More fine-granular permissions will be provided with 1.1 or later.
Role access per Dashboard area
- Show View:
- Listing shows: Admins and Programm Coordinators see a list of all available shows, hosts only see shows where the are assigned as show admins.
- Generally read & write for hosts, but only where they are set as show admins. Individual differences on field level, see next chapter.
- Media Library Management View: Generally read & write for hosts (individual differences on field level, see next chapter)
- Calendar View: For hosts the calendar view should only have read access. Admins and Programme Coordinators have full read/write access.
- Radio Station Settings (located in Dashboard footer): Only Admins have read/write access, Programme coordinators read-only access.
- Episode Details
-
We leave this out for now.TODO: Clarify if episodes in the past should always and fully editable by hosts?
Requirements collected from radios
The permissions should be assignable to the role or user in the Django backend. All permissions are transparently applied with permission strings. There is not implicit logic inherited from the groups or group names itself.
-
Show View
- Show title and description should only be editable by ProKo (helsinki)
- Show title and description should be editable by everyone (o94)
- Show category should only be editable by ProKo (o94)
- Show topic should only be editable by ProKo (o94)
- Show type should be only editable by ProKo (o94)
- Show slug editable (ProKo only, o94)
-
Media View:
- Playlist entry "Stream" should only be available for ProKo (o94, see Permission managment for adding playlist entrie... (dashboard#57 - closed))
-
Episode:
- Episode edit category should only be editable by ProKo (o94)
- Episode edit topic should only be editable by ProKo (o94)
- Episode edit language (o94 ProKo requirement but can be useful for hosts, too)
Fine grained permissions on field-level
At least these fields should be configurable. The group assignments are defaults only and can be changed by admins. These permissions can also be assigned to individual users.
Area | Field / Action | Programme Manager | Host | Host+ |
---|---|---|---|---|
show | title | rw |
r |
r |
show | subtitle | rw |
r |
rw |
show | description | rw |
r |
rw |
show | logo | rw |
r |
rw |
show | image | rw |
r |
rw |
show | categories | rw |
r |
r |
show | topic | rw |
r |
r |
show | music genres | rw |
r |
r |
show | languages | rw |
r |
r |
show | type | rw |
r |
r |
show | rw |
r |
rw |
|
show | links | rw |
r |
rw |
show | editorial staff | rw |
r |
rw |
show | administrators | rw |
r |
r |
show | funding category | rw |
r |
r |
show | cba id | rw |
r |
r |
show | predecessor | rw |
r |
r |
show | internal_note | rw |
no access | no access |
show | default media source | rw |
r |
rw |
show | deactivate show | rw |
r |
r |
show | delete show | rw |
r |
r |
show | slug | rw |
r |
r |
episode | title | rw |
rw |
rw |
episode | summary | rw |
rw |
rw |
episode | content | rw |
rw |
rw |
episode | image | rw |
rw |
rw |
episode | contributors | rw |
rw |
rw |
episode | topics | rw |
r |
r |
episode | languages | rw |
r |
rw |
episode | tags | rw |
rw |
rw |
episode | links | rw |
r |
rw |
media-source | file | rw |
rw |
rw |
media-source | line | rw |
r |
rw |
media-source | stream | rw |
r |
rw |
media-source | import | rw |
r |
rw |
calendar | * | rw |
r |
r |
admin | * | r |
no access | no access |
Legend:
-
r
= read-only -
rw
= read and write access possible