933846 - Surface privileges rather than groups in account permissions

Status: RESOLVED WONTFIX

(Marketplace Graveyard :: API, defect, P5)

Description

[Rob Hudson [:robhudson]]

Right now we do something like:

    'lookup': allowed('AccountLookup', '%')

in the permissions API.

But this breaks down when we start thinking about exposing the "Staff" group which can have one of many privileges that might also be shared with other groups.

I propose this return the individual privileges the user has. (I.e. iterate over the user's groups, get the rules for that group, splitting on comma)

The front-end could then be more selected, and do something like `"Stats:View" in privs`.

Comment 1

[Christopher Van Wiemeersch [:cvan]]

+1 I love the idea of this

Comment 2

[Davor Spasovski [:spasovski]]

Stats kinda needs this since we're abusing the overly restrictive "admin" flag in the interim even though people have view stats access. Can we bump this in priority? I only asked to appear polite I'm bumping it anyway!

Comment 3

[Wil Clouser [:clouserw]]

How is the API spitting out group permissions secured?  I didn't see it in our API docs.

I agree this bug is important, no one can see stats right now.

Comment 4

[Chuck Harmston [:chuck]]

It's documented here: http://firefox-marketplace-api.readthedocs.org/en/latest/topics/accounts.html#get--api-v1-account-permissions-mine-

Comment 5

[Wil Clouser [:clouserw]]

(In reply to Chuck Harmston [:chuck] from comment #4)
> It's documented here:
> http://firefox-marketplace-api.readthedocs.org/en/latest/topics/accounts.
> html#get--api-v1-account-permissions-mine-

Got it, thanks.  I see it says "Requires Authentication" - is that documented also?  I'm just trying to ensure that we aren't opening up the possibility of me making a request from bad.com to that endpoint on the user's behalf and learning that I have a logged-in privileged user.

Comment 6

[Andy McKay]

Dropping priority, stats uses something else now.