Toolhub/Progress reports/2021-05-14

Report on activities in the Toolhub project for the week ending 2021-05-14.

Frontend authorization information

edit
Tracked in Phabricator:
Task T282186

We are adding more complex access control rules for the backend APIs to support patrolling workflows and other moderation features. This made us realize that we needed a nicer way to enable/disable related actions in the vue UI layer. Up to this point we have been adding manual guard conditions like v-if="tool.created_by.username === username && tool.origin === 'api'" which will not scale well as we add other 'privileged' user rights that would OR with the basic authorizations. This is also duplicate config to be kept in sync between the frontend and backend manually which is a likely source of errors.

Some research led us to the CASL library. CASL is a javascript library for managing authorization rules ("can this user take this action on this object"). Its rules system is very similar to the django-rules backend library that we chose to implement object level permissions on the backend.

gerrit:690525 introduces use of CASL in the frontend app with authorization rules created on the backend via a transformation of the same permissions which are used to guard our API endpoints. These rules are delivered to the frontend as part of the payload of the /api/user/ endpoint which is used to inform the frontend of the identity and state of the current user. With this in place, permissions checks become things like v-if="$can( 'add', 'toolinfo/tool' )" and v-if="$can( 'delete', url )".

Group membership management

edit

Work has started on a user interface that will let our future Bureaucrats manage the groups that users are associated with.

Wrap up

edit

Authorization rules engines and user management screens are not very exciting features for our eventual users, but they are important for building a better experience for those users. The next work expected to start for our content moderation workflows is reviewed/patrolled status tracking for toolinfo edits and associated work queues to help patrollers check for bad faith changes.

In possibly more exciting news, Bryan will be giving an "Intro to Toolhub for tool maintainers" presentation during next weekend's Wikimedia Hackathon 2021. Slides and hopefully a recording of that talk will be shared in a future progress report for those who are interested but unable to attend the virtual hackathon. Bryan will also be reachable during his wake hours that overlap with the hackathon to answer questions folks may have about Toolhub in the #wmhackconnect Freenode IRC channel.