Reworking user roles grant and admin

[fungilation]

Context: in nhost.toml, standard config for roles.allowed:

[auth.user.roles]
default = 'user'
allowed = ['user']

When roles.allowed includes other roles, such as moderator. "allowed" implies a list that could be granted to users. But no, current behaviour is that any on this list is auto granted to all new users. This is misleading and dangerous, when additional roles is associated with higher permissions, and thus should be only allowed but require explicit (manual) grant to select users.

I suggest reworking this for both nhost.toml and dashboard /users, ex.

Allowed Roles here should instead be a new config for "Granted Roles". Where it list all roles in the auth.roles table, with select toggles on as per what's been granted under the auth.user_roles table.

And then, in dashboard /settings/roles-and-permissions

This actual Allowed Roles list should be just a CRUD interface to config the auth.roles table. Could even just link out to dashboard /database/browser/default/auth/roles

With above, auth.user.roles.allowed in nhost.toml should be deprecated. Grant is per user_roles, and Allowed is all rows in roles tables

[dbarrosop]

Thanks, we will take a look.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[kelkes]

Any progress on that matter? I still run into issues here Because i can't configure the available roles and default assigned roles separately

[dbarrosop]

Because i can't configure the available roles and default assigned roles separately

You can do it today. The proposed changes here are purely UX improvements (much needed to be fair) but functionality-wise it doesn't add anything new.

Basically the way it works today:

1. To configure available roles just manage them in the auth.roles table. Removing/Adding them there will make them available.
2. To configure the default roles assigned to new users, you can set "default allowed roles" in the dashboard or nhost.users.roles.default in the toml.

[kelkes]

The main problem is, that the role is not listed in the User Configuration when it's not in the list of Available roles (altough it's in the table roles)... But when it's in the list, it will be added by default to the user.

I know that it can fix that all via the database.. but my client can not, and they are using the Auth UI to set roles for their users.

[dbarrosop]

The main problem is, that the role is not listed in the User Configuration when it's not in the list of Available roles (altough it's in the table roles)... But when it's in the list, it will be added by default to the user.

Ok, that's a bug in the dashboard then. We are probably fetching the data from the wrong place so that needs fixing.