From 44b05d1dd1140b5617eda9dd2e7721ed353821f3 Mon Sep 17 00:00:00 2001
From: Peter Beverloo <pbeverloo@gmail.com>
Date: Thu, 18 Jul 2024 20:57:05 +0100
Subject: [PATCH] Introduce a new "root" permission above regular "admin"
 permissions

---
 app/lib/auth/Access.ts | 37 ++++++++++++++++++++++++++++++++++---
 1 file changed, 34 insertions(+), 3 deletions(-)

diff --git a/app/lib/auth/Access.ts b/app/lib/auth/Access.ts
index 2c269d26..d24dc534 100644
--- a/app/lib/auth/Access.ts
+++ b/app/lib/auth/Access.ts
@@ -12,11 +12,22 @@ export const kPermissions = {
     // Administrator permission
     // ---------------------------------------------------------------------------------------------
 
+    'root': {
+        name: 'Root administrator (role)',
+        description:
+            'The root administrator role grants all permissions in the system without exception, ' +
+            'providing unrestricted access. This includes read/write access to system logs and ' +
+            'the ability to update permissions for other people.',
+        type: 'boolean',
+        warning: true,
+    },
+
     'admin': {
         name: 'Administrator (role)',
         description:
-            'The administrator role grants all permissions in the system without exception, ' +
-            'including full access to all event and volunteer information.',
+            'The administrator role grants all permissions in the system, except for the ability ' +
+            'to remove log entries, to grant or revoke permissions to others, and access to ' +
+            'internal tooling only useful for development.',
         type: 'boolean',
         warning: true,
     },
@@ -256,13 +267,33 @@ export const kPermissions = {
  * granted the "admin" permission, permissions included in the associated list will also be granted.
  */
 export const kPermissionGroups: Record<string, string[]> = {
-    admin: [
+    root: [
+        'root',  // reflection
         'admin',  // reflection
 
         'event',
         'system',
         'volunteer',
     ],
+    admin: [
+        'admin',  // reflection
+
+        'event',
+
+        'system.content',
+        'system.displays',
+        'system.feedback',
+        // note: system.internals omitted
+        // note: system.logs:delete omitted
+        'system.logs:read',
+        'system.nardo',
+
+        'volunteer.avatars',
+        'volunteer.export',
+        // note: volunteer.permissions:update omitted
+        'volunteer.permissions:read',
+        'volunteer.silent',
+    ],
 
     staff: [
         'event.applications:read',