global scope roles takes priority over room-scoped roles
Closed this issue · 2 comments
I have a user which has the global scope role default assigned to it. That role has the permission of file:create.
I then assigned a room-scoped role room_member to the same user which the file:create permission was disabled.
In this scenario, I'm expecting to get an error if I attach a file to a message. But it doesn't. I'm in the same room where the role was scoped. So I expect it to take priority over the globally scoped role. Am I wrong in this assumption? is this a bug? or should I avoid using global scoped roles entirely (or only assign minimal permissions to it).
From https://pusher.com/docs/chatkit/roles-and-permissions#roles
If a user makes a request that is relevant to a specific room and the user has a room specific role assigned to them, then the permissions attached to the room specific role are combined with the permissions attached to their globally scoped role, whether that be the default role or otherwise, and the combined set of permissions is then used to check if the request should be permitted or rejected.
In other words, your permissions are the union of those in the global scope and room scope. Interesting use case though, having fewer permissions in some rooms, so thanks for the idea!
Closing as stale.