Home A - Z
Page Index

An Otter Wiki

Commit 36fe86

2026-03-17 03:12:13 Claude (MCP): [mcp] Plan: Permissions panel re-enablement implementation
/dev/null .. Plans/Permissions_Panel_Implementation.md
@@ 0,0 1,312 @@
+ ---
+ category: plan
+ tags: [implementation, permissions, admin, multi-tenancy]
+ last_updated: 2026-03-17
+ confidence: high
+ ---
+
+ # Permissions Panel Re-enablement: Implementation Plan
+
+ Parent: [[Design/Admin_Panel_Reenablement]]
+
+ ## Summary
+
+ Re-enable the Permissions admin panel (`/-/admin/permissions_and_registration`) in robot.wtf's multi-tenant platform. Wiki owners can set READ_ACCESS, WRITE_ACCESS, ATTACHMENT_ACCESS per-wiki. The resolver intersects these with platform ACL permissions before injecting proxy headers.
+
+ ## Repos and Branches
+
+ | Repo | Base branch | Feature branch |
+ |------|------------|----------------|
+ | `otterwiki` (`/Users/sderle/code/otterwiki/otterwiki/`) | `wikibot-io` | `feat/permissions-panel` |
+ | `robot.wtf` (`/Users/sderle/code/otterwiki/robot.wtf/`) | `main` | `feat/permissions-panel` |
+
+ Changes can be developed and tested independently. The otterwiki changes are purely UI (template + decorator removal). The robot.wtf changes are purely resolver logic with no otterwiki import changes.
+
+ ## Change 1: Otterwiki fork — Remove decorator and hide registration fields
+
+ ### 1a. Remove `@platform_mode_disabled` from the route
+
+ **File:** `/Users/sderle/code/otterwiki/otterwiki/otterwiki/views.py`, lines 237–248
+
+ Current:
+ ```python
+ @app.route(
+ "/-/admin/permissions_and_registration", methods=["POST", "GET"]
+ ) # pyright: ignore -- false positive
+ @login_required
+ @platform_mode_disabled
+ def admin_permissions_and_registration():
+ ```
+
+ Change: Remove `@platform_mode_disabled` line (line 241).
+
+ ### 1b. Show sidebar link in PLATFORM_MODE for permissions only
+
+ **File:** `/Users/sderle/code/otterwiki/otterwiki/otterwiki/templates/settings.html`, lines 43–62
+
+ Currently the entire block (User Management, Permissions, Mail) is gated by `{% if not config.PLATFORM_MODE %}`. Change to:
+ - Keep User Management and Mail inside the `{% if not config.PLATFORM_MODE %}` guard
+ - Move the Permissions link outside it (before the guard, after Repository Management)
+
+ New structure (lines ~42–62):
+ ```jinja
+ <a href="{{ url_for("admin_permissions_and_registration") }}" class="sidebar-link sidebar-link-with-icon">
+ <span class="sidebar-icon" style="min-width: 3rem;">
+ <i class="fas fa-users-cog"></i>
+ </span>
+ Permissions{% if not config.PLATFORM_MODE %} and Registration{% endif %}
+ </a>
+ {% if not config.PLATFORM_MODE %}
+ <a href="{{ url_for("admin_user_management") }}" ...>
+ User Management
+ </a>
+ <a href="{{ url_for("admin_mail_preferences") }}" ...>
+ Mail Preferences
+ </a>
+ {% endif %}
+ ```
+
+ ### 1c. Hide registration fields in PLATFORM_MODE
+
+ **File:** `/Users/sderle/code/otterwiki/otterwiki/otterwiki/templates/admin/permissions_and_registration.html`
+
+ Wrap lines 34–85 (the five registration checkboxes: DISABLE_REGISTRATION, EMAIL_NEEDS_CONFIRMATION, AUTO_APPROVAL, NOTIFY_ADMINS_ON_REGISTER, NOTIFY_USER_ON_APPROVAL) in:
+
+ ```jinja
+ {% if not config.PLATFORM_MODE %}
+ {# ... all five checkbox form groups ... #}
+ {% endif %}
+ ```
+
+ Also hide the "ADMIN" option from the access level dropdowns in PLATFORM_MODE (line 24). In platform mode, ADMIN-level access restriction doesn't apply since admin is determined by ACL role, not registration. Change the loop:
+
+ ```jinja
+ {% for permission_option in ["ANONYMOUS","REGISTERED","APPROVED"] + ([] if config.PLATFORM_MODE else ["ADMIN"]) %}
+ ```
+
+ ### 1d. Hide the per-user note about setting to "Admin"
+
+ Line 10–12 in the template contains a note about setting access to "Admin" and using User Management. In PLATFORM_MODE, wrap this in `{% if not config.PLATFORM_MODE %}...{% endif %}` and show an alternative note:
+
+ ```jinja
+ {% if config.PLATFORM_MODE %}
+ <div>
+ <em>Note:</em> These settings control per-wiki access levels. The platform ACL (owner/editor/viewer)
+ grants the maximum permissions. These settings can restrict further but never escalate.
+ "Anonymous" means anyone with a link. "Registered" means authenticated platform users.
+ </div>
+ {% else %}
+ <div>
+ <em>Note:</em> To configure privileges per user, ...
+ </div>
+ {% endif %}
+ ```
+
+ ### 1e. Handle form submission for PLATFORM_MODE
+
+ **File:** `/Users/sderle/code/otterwiki/otterwiki/otterwiki/preferences.py`, lines 419–436 (`handle_permissions_and_registration`)
+
+ No changes needed. The function already saves only the values present in the form. Since registration checkboxes will be absent in PLATFORM_MODE, they won't be updated. However, on first save the missing checkboxes will be saved as "False" (their default from `form.get(checkbox, "False")`).
+
+ **Fix:** Guard the registration checkbox loop with a PLATFORM_MODE check:
+
+ ```python
+ def handle_permissions_and_registration(form):
+ for name in ["READ_access", "WRITE_access", "ATTACHMENT_access"]:
+ _update_preference(name.upper(), form.get(name, "ANONYMOUS"))
+ if not app.config.get("PLATFORM_MODE"):
+ for checkbox in [
+ "disable_registration",
+ "auto_approval",
+ "email_needs_confirmation",
+ "notify_admins_on_register",
+ "notify_user_on_approval",
+ ]:
+ _update_preference(checkbox.upper(), form.get(checkbox, "False"))
+ db.session.commit()
+ update_app_config()
+ toast("Preferences updated.")
+ return redirect(url_for("admin_permissions_and_registration"))
+ ```
+
+ ## Change 2: robot.wtf resolver — Intersect permissions with per-wiki access levels
+
+ ### 2a. New function: `_apply_wiki_access_restrictions`
+
+ **File:** `/Users/sderle/code/otterwiki/robot.wtf/app/resolver.py`
+
+ Add after `_is_write_request` (around line 273):
+
+ ```python
+ def _apply_wiki_access_restrictions(
+ permissions: tuple[str, ...] | list[str],
+ is_authenticated: bool,
+ ) -> list[str]:
+ """Intersect ACL-granted permissions with per-wiki access preferences.
+
+ After _swap_database() + update_app_config(), the per-wiki
+ READ_ACCESS / WRITE_ACCESS / ATTACHMENT_ACCESS values are in app.config.
+
+ Platform ACL grants the ceiling. Per-wiki preferences can only restrict.
+
+ Access levels:
+ ANONYMOUS — no restriction (anyone gets this permission)
+ REGISTERED — only authenticated users
+ APPROVED — treated same as REGISTERED (no per-user approval tracking yet)
+
+ Args:
+ permissions: ACL-granted permissions (e.g. ("READ", "WRITE", "UPLOAD"))
+ is_authenticated: Whether the request has a resolved identity
+ (not anonymous)
+
+ Returns:
+ Filtered list of permissions.
+ """
+ import otterwiki.server
+ app = otterwiki.server.app
+
+ result = list(permissions)
+
+ access_map = {
+ "READ": "READ_ACCESS",
+ "WRITE": "WRITE_ACCESS",
+ "UPLOAD": "ATTACHMENT_ACCESS",
+ }
+
+ for perm, config_key in access_map.items():
+ if perm not in result:
+ continue
+ level = app.config.get(config_key, "ANONYMOUS").upper()
+ if level == "ANONYMOUS":
+ continue
+ # REGISTERED and APPROVED both require authentication
+ # (APPROVED would require per-user tracking; deferred — treat as REGISTERED)
+ if level in ("REGISTERED", "APPROVED", "ADMIN"):
+ if not is_authenticated:
+ result.remove(perm)
+
+ # WRITE requires READ; UPLOAD requires WRITE
+ if "READ" not in result:
+ for dep in ("WRITE", "UPLOAD"):
+ if dep in result:
+ result.remove(dep)
+ if "WRITE" not in result:
+ if "UPLOAD" in result:
+ result.remove("UPLOAD")
+
+ return result
+ ```
+
+ ### 2b. Call `_apply_wiki_access_restrictions` in `TenantResolver.__call__`
+
+ **File:** `/Users/sderle/code/otterwiki/robot.wtf/app/resolver.py`, lines 396–406 (after `_swap_database`, before injecting headers)
+
+ Insert between `_swap_database(wiki_dir)` (line 399) and the header injection block (line 402):
+
+ ```python
+ # Apply per-wiki access restrictions
+ proxy_headers = auth_result["proxy_headers"]
+ is_authenticated = proxy_headers.get("x-otterwiki-email", "") not in (
+ "", "@anonymous"
+ )
+ perms_key = "X-Otterwiki-Permissions" # Note: key casing matches build_proxy_headers
+ # Actually the key is lowercase in build_proxy_headers
+ perms_key = "x-otterwiki-permissions"
+ raw_perms = proxy_headers.get(perms_key, "").split(",")
+ restricted = _apply_wiki_access_restrictions(raw_perms, is_authenticated)
+ proxy_headers[perms_key] = format_permission_header(restricted)
+ ```
+
+ **Important:** This must happen AFTER `_swap_database()` (which calls `update_app_config()`, loading per-wiki preferences into `app.config`) and BEFORE injecting headers into environ.
+
+ The existing quota-stripping logic (lines 382–388) should remain and runs on the already-restricted permissions. Reorder: wiki access restrictions first, then quota stripping. Or just let both run — quota stripping is additive removal and safe to apply on already-restricted perms.
+
+ ### 2c. Determine `is_authenticated` from auth path
+
+ Looking at the auth resolution paths:
+ - JWT auth → authenticated (email = `@{handle}`)
+ - Cookie auth → authenticated (email = `@{handle}`)
+ - Bearer token → authenticated (email = `mcp@robot.wtf`)
+ - API key → authenticated (email = `@system`)
+ - Anonymous → NOT authenticated (email = `@anonymous`)
+
+ The check `email not in ("", "@anonymous")` correctly identifies unauthenticated requests.
+
+ ## The APPROVED Level Question
+
+ **Can we support APPROVED without per-user tracking?** No — not fully.
+
+ - In vanilla Otterwiki, APPROVED means users must be individually approved by an admin via User Management.
+ - In robot.wtf, there's no per-wiki user table being actively populated (users are transient proxy-header objects).
+ - User Management panel is still disabled.
+
+ **Decision: Treat APPROVED the same as REGISTERED for now.** Both mean "authentication required." This is documented in the function docstring. When User Management is re-enabled (Phase 2 per [[Design/Admin_Panel_Reenablement]]), APPROVED can be differentiated.
+
+ **UI consideration:** We could hide the APPROVED option in PLATFORM_MODE, but it's better to leave it visible and documented. Wiki owners who set APPROVED get REGISTERED behavior — a reasonable default that becomes stricter (not looser) when user tracking lands.
+
+ ## What Happens for Each User Type
+
+ | User type | Platform ACL perms | Wiki READ_ACCESS=ANON | Wiki READ_ACCESS=REGISTERED | Wiki WRITE_ACCESS=REGISTERED |
+ |-----------|-------------------|----------------------|---------------------------|------------------------------|
+ | Owner (JWT) | READ,WRITE,UPLOAD,ADMIN | all | all | all |
+ | Editor (JWT/cookie) | READ,WRITE,UPLOAD | all | all | all |
+ | Viewer (ACL) | READ | READ only | READ only | READ only |
+ | Public (anon, wiki is_public) | READ | READ | **none** (stripped) | READ only |
+ | MCP bearer token | READ,WRITE,UPLOAD | all | all | all |
+ | No auth, wiki private | 403 before reaching this code | N/A | N/A | N/A |
+
+ Key insight: When READ_ACCESS=REGISTERED, anonymous users on a public wiki lose READ. This effectively makes the wiki private despite `is_public=true` in the platform DB. That's correct — wiki owner's preference is the final word on restrictions.
+
+ ## ADMIN Permission Pass-Through
+
+ The `_apply_wiki_access_restrictions` function does NOT touch the ADMIN permission. ADMIN is purely platform-controlled (ACL role = owner). The wiki-level access preferences only affect READ, WRITE, and UPLOAD.
+
+ ## Test Specifications
+
+ ### Otterwiki fork tests
+
+ **File:** New test file or extend existing admin test.
+
+ 1. **Route accessible in PLATFORM_MODE:** With `PLATFORM_MODE=True` and an admin user, GET `/-/admin/permissions_and_registration` returns 200 (not 404).
+ 2. **Registration fields hidden:** Response HTML does not contain `disable_registration` checkbox when `PLATFORM_MODE=True`.
+ 3. **Registration fields shown:** Response HTML contains `disable_registration` when `PLATFORM_MODE=False`.
+ 4. **ADMIN option hidden in PLATFORM_MODE:** The access dropdowns don't include "ADMIN" option when `PLATFORM_MODE=True`.
+ 5. **Form submission saves only access prefs in PLATFORM_MODE:** POST with READ_access=REGISTERED saves READ_ACCESS but does not touch DISABLE_REGISTRATION.
+ 6. **Sidebar link visible in PLATFORM_MODE:** The settings template renders a link to `admin_permissions_and_registration` when `PLATFORM_MODE=True`.
+
+ ### robot.wtf tests
+
+ **File:** `/Users/sderle/code/otterwiki/robot.wtf/tests/test_resolver.py` (extend)
+
+ Unit tests for `_apply_wiki_access_restrictions`:
+
+ 1. **All ANONYMOUS — no restriction:** Permissions pass through unchanged.
+ 2. **READ_ACCESS=REGISTERED, authenticated user:** READ preserved.
+ 3. **READ_ACCESS=REGISTERED, anonymous user:** READ stripped; WRITE and UPLOAD also stripped (dependency).
+ 4. **WRITE_ACCESS=REGISTERED, anonymous user with READ_ACCESS=ANONYMOUS:** READ preserved, WRITE stripped, UPLOAD stripped.
+ 5. **ATTACHMENT_ACCESS=REGISTERED, anonymous user:** READ and WRITE preserved, UPLOAD stripped.
+ 6. **APPROVED treated as REGISTERED:** READ_ACCESS=APPROVED, anonymous → READ stripped.
+ 7. **ADMIN permission not touched:** Owner with ADMIN + READ_ACCESS=REGISTERED, anonymous → ADMIN preserved (though this case shouldn't occur in practice since ADMIN requires auth).
+ 8. **Dependency chain:** WRITE removed → UPLOAD also removed even if ATTACHMENT_ACCESS=ANONYMOUS.
+
+ Integration-level tests (mock `_swap_database` and `otterwiki.server.app.config`):
+
+ 9. **Full resolver flow:** Authenticated cookie user on wiki with WRITE_ACCESS=REGISTERED gets WRITE permission.
+ 10. **Full resolver flow:** Anonymous user on public wiki with READ_ACCESS=REGISTERED gets no permissions (empty header).
+ 11. **Quota stripping + access restriction compose correctly.**
+
+ ## Deployment and Independence
+
+ The two feature branches can be merged independently:
+
+ - **otterwiki fork first:** Safe to merge. The `@platform_mode_disabled` removal means the route returns the form, but without resolver-side intersection, the saved preferences have no effect on actual access control. The proxy header permissions still come from the ACL alone. This is harmless — the admin can save preferences that don't do anything yet.
+
+ - **robot.wtf first:** Safe to merge. The resolver reads `app.config` values for READ_ACCESS etc. If the preferences haven't been set (no admin panel yet), the defaults are all "ANONYMOUS" (from `otterwiki/server.py` line 38–40), so no permissions are stripped. No behavioral change.
+
+ **Recommended order:** otterwiki fork first (UI changes, simpler to test), then robot.wtf (logic changes, needs more test coverage).
+
+ ## Open Questions
+
+ 1. **Should we log when wiki-level restrictions strip permissions?** Probably yes, at DEBUG level, for troubleshooting.
+ 2. **Should the platform management UI (robot.wtf dashboard) expose these settings too?** Not now — the otterwiki admin panel is sufficient.
+ 3. **When READ_ACCESS=REGISTERED strips READ from anonymous on a public wiki, should the resolver return 403 instead of passing through with empty permissions?** Current design passes through with empty permissions; otterwiki will show appropriate "access denied" UI. This is probably fine.
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9