Permissions

<< table of contents

[en]
[de] Deutsche Version
[fr] Version française

[en]

Group Permissions

The default is that everyone in a group has admin permissions. They can :

  • accept new memebers,
  • create committees,
  • access any group or committee page
    You can create a committee that is a council. People in this committee then become admins of the group. Others in the group have participant permission. See chart below.

Committee Permissions

  • Group members have access to all committees
  • Even if a group member is not in a committee they will still see committee pages on their dashboard (this was different in previous versions of Crabgrass on we.riseup.net).

Permissions pour les pages Coordinator Participant Viewer
Watch For Updates + + +
Add Star + + +
Share Wiki + + -
Public + - -
Delete Wiki + - -
Move Wiki + - -
Wiki Details – view + + +
Wiki Details – change + - -
Tags edit + + -
Attachments edit + + -
Add Comment + + +

[de]

Gruppen berechtigung

Standart ist, das alle Gruppen-Mitglieder Admin-Status haben

  • Einstellungen bearbeiten
  • neue Mitglieder Akzeptieren
  • Komitees ertellen
  • Zugriff auf jeden Gruppen- oder Komitee Inhalt
  • vollständiges Löschen von Wikis

In einer Gruppe kann ein Gremium erstellt werden. Mitglieder dieses Komitees bekommen Admin-Status
Alle anderen Gruppenmitglieder bekommen Teilnehmer-Status. (siehe Abb.)

Komitee berechtigung

  • Gruppenmitglieder haben Zugriff auf alle Komitees
  • Auch wenn Gruppenmitglieder nicht in einem Komitee sind, werden sie dessen Inhalte trotzdem in ihrer Übersicht haben (das war anders in früheren Versionen von Crabgrass auf we.riseup.net).
  • Mitglieder die in einem Komitee sind, nicht aber in der zugehörigen Gruppe
    haben keinen Zugriff auf die Gruppen-Inhalte

Seitenberechtigung Koordinator Teilnehmer Zuschauer
Aktualisierungen + + +
Wiki werten + + +
Wiki teilen + + -
Wiki veröffentlichen + - -
Wiki löschen + - -
Wiki verschieben + - -
Wiki Details – sehen + + +
Wiki Details – ändern + - -
Tags bearbeiten + + -
Anhängen bearbeiten + + -
Kommentieren + + +

[fr]

Permissions dans les groupes

Par défaut, toute personne dans un groupe peut administrer celui-ci. Il est possible :

  • d’accepter ou rejeter les requêtes d’utilisateurices souhaitant joindre le groupe
  • de créer des commissions
  • d’accéder à toutes les pages du groupe, et toutes les pages des comités du groupe
    Vous pouvez créer une commission qui soit en fait un Conseil. Les personnes de ce conseil obtiennent alors les pouvoirs d’administration du groupe, et les autres se les voient retirés. Voir le schéma ci-dessous.

Permissions dans les commissions

  • Les membres du groupe ont accès à toutes les commissions
  • Un-e membre du groupe n’étant pas dans une commission verra quand même les pages de celle-ci dans son Tableau de bord (ce qui n’était pas le cas dans des précédentes versions de Crabgrass)

Permissions pour les pages Coordinator Participant Viewer
Watch For Updates + + +
Add Star + + +
Share Wiki + + -
Public + - -
Delete Wiki + - -
Move Wiki + - -
Wiki Details – view + + +
Wiki Details – change + - -
Tags edit + + -
Attachments edit + + -
Add Comment + + +
 

I have an unrelated permissions comment. Now, people who are not logged can see the avatars (if they know the URL). Maybe that’s okay, but i just noticed it and thought i’d mention it.

 
 

jessi, thanks for mentioning that. for me that is really an issue and it’s the reason why i made my profile private now which is unsatisfactory as i would like people who do have a crabgrass account to be able to see me profile. i think there should be 3 options: 1) private profile 2) profile viewable to crabgrass users 3) profile that is world-viewable. the same 3 options should apply to groups and committees …

 
 

Hi, I would like to learn more about the permission system.

  1. How can I change permission default?
  2. How can I customize the permission system?
  3. How can I create ROLES that apply to different members in a group?
  4. How does the system resolve conflicts of applied ROLES?
  5. Are there role hierarchies and how can I control them?
  6. Is there a possibility to add a custom backend to control permissions (Database / File /LDAP)?

I tried to understand the code, but I do not know too much about Rails – I see that there are several RBAC Rails Plugins out there, but crabgrass seems to implement their own stuff.

However, it would be very interesting to read a verbose description about the permission system!

Thank you very much for your attention!
Snaky

 
 

How do you think about implementing a more generic way of groups / permissions? Ruby world has a few implementations to offer, i think it would be good, not to walk alone in this area!

 
 

Just a hypothetical, but say someone is causing trouble and needs to be voted out of the group. How does that work?

 
 

how i can delete somebody from the group ?

 
 

Hi
We had the idea with my group to backup our working page, so that we don’t lose it in any case of server crash (this doesn’t mean we don’t trust crabgrass, but we do not want to lose this job!), and moreover, in order to be able to have a look on our work locally.
I tried a
$wget —user=gdmz —ask-password -Erkp -w1 -np https://we.riseup.net/ourworkinggroupsname
which asked me for my password, then established a successful connection with your server, and then… failed with an error 404
I’m sure i made no mistake in the working group’s name, so i don’t understand why the url could not be solved finally.
Would you help me making this backup, even with another command line ?

 
 

hi gdmz,

The user, password mechanism you are trying is different from the one crabgrass uses.
We currently only support cookie based session authentication.

Here’s a starting point for wget. I have not tested this myself yet though.

# Log in to the server.  This only needs to be done once:
  wget --save-cookies cookies.txt \
    --keep-session-cookies
    --post-data 'login=foo&password=bar' \
    https://we.riseup.net/session/login
# Now grab the page or pages we care about.
  wget --load-cookies cookies.txt \
    -p https://we.riseup.net/groupname

If it does not work please check if the cookies.txt file contains any cookies.
If you can download the landing page of the group you can also download other pages.
You might want to use the print view – at least for the wiki pages.

 
 

Thank you for your advice. I could connect and download part of our pages, even if unfortunately something seems to be bugging — seems to come from my os, the download made it bug twice during the operation. I’m using Tails, and I would bet something leads to a RAM overflow : after some minutes, my fan panics and all operation are frozen ; having a look at the memory status before the freeze, I could see the part of used Mem increesing more and more… Maybe I should look for some realtime syncronization options during the backup (I save the files on my USB stick, to avoid saving it on Tails’ desktop that could be quickly filled, which I supposed to be happening during my first try, and I’m now really sure this stick is large enough to save those 20 or 30 Mos I try to backup).

However, the command lines you suggested work well. The first one allows me to connect, the second one to find my group’s page and begin the downloading operation. I just used different options, as I read somewhere else (wget -Erkp -np), in order to save internal links and to avoid downloading all parent pages…

Actually you can see I’m not familiar with wget. I may perform other tries, and write another comment to share if I find some tiny options that allow me to download everything without a bug. For now I could perform an essential and not-so-easy-to-restore backup, which is better than nothing.

However, thank you azul.

 
 

gdmz, glad it helped. Thanks for the details. Frozen os might be a heat issue with a broken fan or so aswell. If you have > 1Gb of ram that should not be a problem. Otherwise you can use sync to tell your computer to write all cached data to the usb stick. This should work in parallel to the download. Just type it in a different console.
Oh… and for wiki pages i just braught back the group/page/print url. You can use that if you want to avoid the menus and include all the comments. Print view for other page types will still take some time though.

 
 

How do we approve a pending request for the creation of a council?

 
 

alva, this question has come up quite a few times lately. We obviously need to make the UI and maybe even the process more clear. The person approving the request has to be a member of the group for at least 2 weeks i believe.
The idea behind this is that we want to prevent group ‘takeover’ by generating a council. That is already done by requiring someone else to approve the request. But one could still just create a new account, invite that fake account to the group and use it to approve the request.
So instead we decided to require a certain time of group membership until you can approve council requests.

 
 

okay, great, thanks azul!

 
 

Hello there, I’m new to we.riseup and I’m facing an issue with the council. We have created one which never effectively worked. Once we click on it, a message comes up as if the page we’re trying to reach doesn’t exist. Anyone around could give me some light? Many thanks

 
 

how do I delete a group member that accidentally approved? if I go via members and click “delete member” all I seem to be able to do is delete this pending command instead of approving it. can anyone help?

 
 

ilana, if you still see the request and have the ability to delete the pending request, that seem to mean the member has not been approved. So they can’t be deleted ;)

 
 

I think it takes two people to remove another person from the group. So someone else has to approve the request. You yourself can only delete the request ( ~ take it back).
Removing people from groups can be very destructive so we try to make sure at least two people are involved in the decision.

 
 

Azul, you seem to be very familiar to the structure of we.riseup – would you be able to help with the issue we’re having with our group council? (or to direct me to where / how to look for help, please?) Many thanks and best regards

 
 

Naya, I send you a private message so we can investigate this. It sounds like a bug.

 
 

hi, my group recently changed our name, then we changed it back, and now we cannot access some of the older pages… please help!

 
 

Hey, here i corrected the german version of this side.

Gruppenberechtigungen¶

Standard ist, dass alle Gruppenmitglieder Admin-Status haben

Einstellungen bearbeiten neue Mitglieder akzeptieren Komitees ertellen Zugriff auf jeden Gruppen- oder Komiteeinhalt vollständiges Löschen von Wikis

In einer Gruppe kann ein Gremium erstellt werden. Mitglieder dieses Komitees bekommen Admin-Status
Alle anderen Gruppenmitglieder bekommen Teilnehmer-Status. (siehe Abb.)

Komiteeberechtigungen¶

Gruppenmitglieder haben Zugriff auf alle Komitees Auch wenn Gruppenmitglieder nicht in einem Komitee sind, werden sie dessen Inhalte trotzdem in ihrer Übersicht haben (das war anders in früheren Versionen von Crabgrass auf we.riseup.net). Mitglieder die in einem Komitee sind, nicht aber in der zugehörigen Gruppe haben keinen Zugriff auf die Gruppeninhalte
 
 

hi wigglypoo,

I will send you a message to investigate

 
 

hi fitania, hey y’all,

Thanks for the update. I had not even intended this change when updating the page list on the dashboard.
I was focussing on a different issue.

How do people feel about this change? (Pages of committees you are not a member of show up on your dashboard right now.)

 
 

I’m confused about what a member of a network council has permission to do, when the network has both multiple groups (each with their own council) and each group has multiple committees. Can anyone provide any insight? Also, who has permission to add/remove people from a committee? Those in the committee’s group’s council only? The text above only refers to adding/removing from the group.

 
 

abbe, I’ll try to clearify:

members of a network do not have more access to the networks groups than they would have without the network.
members of a group have access to a network the group is a member of.
If there is no council in the network all members of the network and all members of the groups of the network can admin the network.
If there is a council only the members of that council can admin the network. Members of the network council do not gain any
new permissions on the networks groups.

Not sure if that helps. So basically groups are the main layer of access permissions. if you are in a group you can also access the committees of the group and the networks of the group. If you are in the network or the committee only you cannot access the group. Networks are meant to share information between autonomous groups. Committees are meant to substructure the groups and invite outsiders into these working groups without granting them access to the rest of the group.

abbe, does that help to clearify things?

 
 

Thanks, azul. This helps clarify the network council a lot.
Just my final question remains – about ‘control’ of membership in committees. If the groups are supposed to be the main layers of access permissions (helpful to think of them that way), then I’m confused why I seem to be able to remove people from / send invites to committees when not on the group’s council. I thought it was because I was on a network council, but clearly that’s not the case. Can anyone in a committee add/remove people or is it just the people who in the group as well?

 
 

How do I delete a group? I just created my wiki and started setting up groups but really don’t know what I’m doing. There’s no option to delete the group (an Organization) in any of the group’s tabs.

 
 

Hi Toronto. As far as I see in the groups I am part of, there is a “destroy group” red icon in :

Groups / “Group name” / settings / structure

 
   

I was trying to open a bug via the link on the button but the issue tracker is read-only. So anyway, in a Network we are forming we have the issue that individual members can be removed, but there is no way to remove a group. This would be vital once groups in the network become defunct though. Please anyone with appropriate permissions create a bug or indicate if you would accept a pull request fixing the issue.