Roles and Permissions

[etiennemarais]

Summary

We wanted to have a basic set of user roles and permissions to allow for varying behaviour of the system based on a user's assigned role and/or permissions.

Story map and permission's list

Use cases

Roles/Permissions list

Changes

• Added a migration to add an organiser identifier on a user to aid in limiting showing of other events.
• Fixed the user invite from the account screen to add the invited user to be added to the same organiser as the person inviting them.
• Added baseline roles/permissions package
• Upgraded laravel to latest stable 6.x
• Fixed tests that broke during the change over
• Added new landing view for normal users to see a list of their events
• Tweaked the UI to show/hide certain organiser and account level options based on the user's permissions or role
• Added a base test seed to add the new roles/permissions and assign them to the roles they belong
• Cleaned up the error pages to use the laravel simple styles
• Added an initial seed for roles/permissions to the migrations
• Scan the db for legacy users and assign the default user role to them, super admin needs to be assigned manually
• Added UI to invite a new user with their organiser and role selected
• Added UI to show the role for a user and toggle between them
• Added UI to toggle between adding the extended can manage events permission to users based on clicking the checkbox

Demo

If you want to test and check out the branch you can run these commands to get you started on a fresh database:

composer install
php artisan migrate:refresh --seed && php artisan db:seed --class=RolesPermissionsLocal

That will demo seed a bunch of users to try out with their roles already set (we don’t have a dedicated UI for them yet)

u: super@test.com
p: pass
This user can do everything

u: user1@test.com
p: pass
This user can manage all events within an organiser level

u: user2@test.com
p: pass
This user can only see events created by them even though they belong to the same organiser 

u: checkin@test.com
p: pass
This user can see all events for an organiser but are limited to their check in pages only. 

Screenshots

Can toggle the role and extended permissions

Can select the organiser this user belongs to as well as the Role

---

The whole new Role/Permission assignment UI - Only available to super admins

[justynpride]

@etiennemarais This is slightly outside of the scope of this original dev, but would it be worth considering adding an additional level of user? I was thinking a booking contact, or similar role. It could be used by others down the line for allowing user registration for orders, and then logging in to view their order history for events, or for secure order changes such as for #858.

[justynpride]

@etiennemarais I'm loving this feature. I put an issue up a while back that this relates to #800. From what I can see this feature helps towards this, but I don't think fully does. From what I can see a super admin can view all organizers, but there isn't a way to have the same abilities as the super admin, but limit the user to just one organizer. Does that make sense?

My ideal is for a universal super admin that can access all organizers, and for there to then be a super admin that can be restricted to a selected organizer. There might be a better term for the latter option, but I use it to detail the type of access it should have.

Currently when you create a user you can specify the organiser which then determines access. Would it be helpful for this to determine for the Super Admin access I've mentioned? It could be listed as a dropdown in the user panel, with a 'Access All' for the main Super User.

[justynpride]

Any progress on this being reviewed and merged?

[johannac]

Yes, my goal is to get it into the next release going out in May. @justynpride @publicarray have you both been using this feature in production for a while now? It works fine so far from what you've seen?

[justynpride]

Yes, my goal is to get it into the next release going out in May. @justynpride @publicarray have you both been using this feature in production for a while now? It works fine so far from what you've seen?

@johannac That's helpful to know. Thanks for all you do on this project. I've not been using this in production yet. I've just had another more thorough review of it. From what I can see and test it works as you expect. However if you have multiple organizations using the system then this won't quite work as you might want it to. Basically you want the main organiser account to only be able to see and manage the users for their organization. I just realized that a super admin can see and edit the users for other organizations.

A couple of helpful features for the future could be:

1. Delete or de-activate access for a user - people come and go in organisations after all.
2. Invite email resend - If an invite email wasn't received or deleted by error if would be great to be able to resend the invite, as we can't delete the user and recreate at the moment.

[quentincaffeino]

Also tested this feature, planning to use in staging for a while.

Besides what already was mentioned by @justynpride I found that you can't change Can Manage Events after user is created. (Un)Checking checkbox does nothing it seems (edit: changing role also isn't applied), but I haven't dug into code of it yet.

Other than these 3 2 things, what else needs to be addressed? Or only thing preventing this pr from being merged is that it isn't tested enough?

[justynpride]

@quentincaffeino personally I’d love to see this feature merged in, especially once some of these items have been addressed. Those items are to reduce end user frustration!

One thing I’d love to see is a booking contact level so that a user can log in and make orders and review previous orders, in the same way that you can with Eventbrite and other systems. It feels like a next obvious use for this feature.

[quentincaffeino]

Sorry, my bad, updating works. Forgot to rebuild js.

[johannac]

@quentincaffeino @justynpride just checking -- apart from general QA and testing, there is only 1 outstanding functionality issue with this system which was originally noted here (#957 (comment)) which is what to do about the Super Admin role and determining how it should work across repositories -- is that right?

[justynpride]

@quentincaffeino @justynpride just checking -- apart from general QA and testing, there is only 1 outstanding functionality issue with this system which was originally noted here (#957 (comment)) which is what to do about the Super Admin role and determining how it should work across repositories -- is that right?

From my perspective that is correct. Thanks for looking at this.

[quentincaffeino]

Tbh don't remember because I haven't touched Attendize since 2021

[JSkye3293]

Did this get pushed to the main stream? Im not seeing these changes in the current build that I have. Is there a way I need to enable them? Thanks!