Whitelist Procedure and Rooms #391

joente · 2024-12-02T08:44:55Z

joente
Dec 2, 2024
Maintainer

Currently, users created with RUN, CHANGE, and JOIN privileges can only access predefined procedures and events. To enhance security, we propose introducing a whitelisting system for both rooms and procedures. This would allow granular control over user permissions, enabling more restrictive user roles.

For whitelisting rooms, implementing idea #392 would allow using names instead of room Id's.

joente · 2024-12-02T15:25:26Z

joente
Dec 2, 2024
Maintainer Author

Purposed functions:

whitelist_add(<user>, <list>, [name_or_regex]);
whitelist_del(<user>, <list>, [name_or_regex]);

Where <list> is either "procedures" or "rooms".

Where name_or_regex is either a string according the names convention, or a regular expression. This way a user cannot by accident provide a string, thinking he/she is providing a regular expression (example: "/^test.*/" is not allowed, as this is a string and not the regular expression which is /^test.*/).

user_info(..) return value (part):

We can simply return the values. If the value starts with / it is a regular expression, otherwise it is a name. For more details we can use the new whitelist(..) function.

{
    "whitelists": {
        "procedures": [
            "example",
            "/^api_.*/"
        ]
    }
}

If no white list is active, return "whitelists": {}. This is preferred to "whitelists": nil as this is more inline with having only a procedures or rooms whitelist, and not both. If no whitelist for procedures exists, any procedure is accepted and the same for rooms.

An empty list results in that all procedures / rooms will be blocked.

A whitelist list can be completely removed using whitelist_del(<user>, <list>); (not providing a specific rule).

An empty whitelist list can be created by using whitelist_add(<user>, <list>); (not providing a specific rule).

Note that we do not provide a scope, I don't think a scope is required as access to a scope can already be arranged. By supporting explicit names and regular expressions we can create loosely bindings which I think is preferred as it allows for a regular expression selecting multiple procedures or rooms at once.

0 replies

joente · 2024-12-10T10:02:13Z

joente
Dec 10, 2024
Maintainer Author

Added documentation:

The latest build (v1.7.0-rc2) can be used for testing.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ThingsDB

Whitelist Procedure and Rooms #391

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 2 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

ThingsDB

Whitelist Procedure and Rooms #391

Uh oh!

Uh oh!

joente Dec 2, 2024 Maintainer

Replies: 2 comments

Uh oh!

Uh oh!

joente Dec 2, 2024 Maintainer Author

Uh oh!

joente Dec 10, 2024 Maintainer Author

joente
Dec 2, 2024
Maintainer

joente
Dec 2, 2024
Maintainer Author

joente
Dec 10, 2024
Maintainer Author