Enhancement: enhanced rights management about calibre-web HOT 12 CLOSED

I like that idea. How about using bitwise operator for user rights?

// Permission bits
allow_viewing  = 0x01
allow_download = 0x02
allow_editing  = 0x04
allow_upload   = 0x08
allow_admin    = 0x10

// This user can view and download books
user.role = int(perm_viewing | perm_download)

// Download requested
if allow_download & user.role:
      send_the_book...

from calibre-web.

other idea would be to use primenumbers for different rights. f.e:
2=show books
3=download books
5=edit metadata
7=upload books
11=admin

then the role of the user is saved as product of the prime numbers
show books&dowload books&upload books would be 42
if you want to know if the users has upload rights you test if the role-number is divisible by 7

pros: lots of possible combination of user rights. extensible (f.e delete)
cons: not compatible with current numbers 1 and 0. but compatibiliy could be added with and extra test if role==1 or 0

from calibre-web.

+1 for bitwise operator. i will try to impement this...

from calibre-web.

How about using Flask-Principal? since it's already setup to be used for Roles handling that would be the best option imo...

so role handling would be something like this:

allow_admin = RoleNeed('admin')
admin = Permission(allow_admin)
admin.description = "Admin permissions"

@app.route('/admin')
@admin.require(http_exception=403)
def admin():
    return render_template('admin.html')

That's how i planed on implementing this in the first place :D

from calibre-web.

Right, just realized that you had prepared for that (at least the imports are already there). On first look Flask-Principal seems to be quite a fine-grained (aka complex) framework and maybe overkill for the simple task of limiting access to views with a decorator.
@cervinko has already submitted a PR implementing different levels of user rights: #17. Maybe he can take a look at it and decide whether it's feasible to leverage Flask-Principal for the user roles/rights part.

from calibre-web.

yep, found that PR after i've posted here.
Maybe Flask-Principal is a little bit overkill for such simple tasks but you'll get better control and could easily add/remove roles if needed. My main reason to post was why reinvent the it when it's already there and working pretty well ;)

from calibre-web.

didn't know about flask-principal. for me it looks too complex for our usecase and to be honest i do not really see the advantages of principal to my implementation.
but if anyone would explain the advantages i am not averse to implementing it.

from calibre-web.

@mutschler i just reinvented it, because i didn't know it....

from calibre-web.

well basically the fine tuning i guess... you could for example limit some categories or stuff like that to specific users... if you want a special case for that: don't show everything that's 16+ for your children or something like that... even allow specific users to only edit specific books etc...

from calibre-web.

ok. for my usecase this would be overkill...

from calibre-web.

@mutschler Using an existing framework definitely makes a lot of sense, especially as it relates to adding support for additional usage scenarios that require more fine-tuning. I am not too impressed with flask-principal, but i am sure there are some viable alternatives like for example https://github.com/raddevon/flask-permissions. That being said, @cervinko has already put work in his PR and merging it won't make it any harder to plug in a third-party library in the future.

from calibre-web.

@janeczku it's up to you if you merge or not. but i am not planing to implement an flask-permissions or flask-principal version in near future although it would be better to use an existing framework. i should have searched for frameworks before reinventing the wheel. lesson learnd ;-)

from calibre-web.