Proposal: Implementing more fine-grained node access control #640
Description
To implement pull-labs we need to have more fine-grained access control on nodes.
The current system only allows for broad permissions, which is insufficient for our needs.
I propose following changes as a low-friction way to get “fine-grained control per runtime” without redesigning Nodes is to reuse our existing UserGroup concept as scoped permissions:
- We define a group naming convention (scopes)
Example:
- node:edit:any (optional global editor)
- runtime:lava-collabora:node-editor
- runtime:lava-collabora:node-admin
These are just UserGroup.name strings (already supported by our user model).
- Extend authorize_user() to include runtime scope + superuser
We will change logic to:
- allow if user.is_superuser (this matches “one of them can update all nodes” requirement)
- allow if user.username == node.owner
- allow if any user.groups matches node.user_groups (keep existing behavior)
- allow if node.data.runtime is set and user has group like runtime:{runtime}:node-editor (or admin)
- Apply the same check to batch updates
/batch/nodeset currently does its own ownership check + hardcoded usernames
We can reuse the same “can edit node?” logic there too, otherwise runtime-scoped editors will be blocked.