GSOC 2023 Proposal: Administration System- BookBrainz

Personal Information

FullName: Vivek Kumar
IRC nick: vivekumar08
Github: vivekumar08
Email: vivekumar2003bsr@gmail.com

Proposal Overview

BookBrainz currently lacks an administration system with a flexible privilege hierarchy, which makes it difficult to assign roles and give special privileges to users. To address this issue, this proposal outlines the implementation of a basic admin system with a flexible privilege hierarchy. The system will include modifications to the database schema, implementation of a simple admin panel webpage, and middleware for securing specific routes according to a user’s roles.

benefits to the community

The proposed changes to BookBrainz will help in several ways:

  1. Improved User Management: The modifications to the database schema will enable admins to easily assign roles and give special privileges to users. This will improve user management and ensure that users have the appropriate access and permissions to perform their tasks.
  2. Better Security: The implementation of middleware for securing specific routes according to a user’s roles will enhance the security of BookBrainz. Users will only be able to access pages and perform actions that are appropriate for their roles, preventing unauthorized access and malicious activity.
  3. Enhanced Efficiency: The admin panel webpage will allow admins to search for users and perform actions such as assigning roles and revoking privileges quickly and efficiently. This will save time and effort and make BookBrainz more efficient overall.
  4. Increased Flexibility: The proposed system will have a flexible privilege hierarchy, allowing for the creation of new roles as needed. This will provide BookBrainz with the flexibility to adapt to new requirements and changes in the future.

In summary, the proposed changes will improve user management, enhance security, increase efficiency, and provide increased flexibility to BookBrainz.

Implementation plan

There are 3 steps in which we can proceed:

Modifications to the Database Schema:

Modifying the database schema is the first step in developing a basic admin system with a configurable privilege structure. This will necessitate the addition of two tables: roles and user roles. The roles table will contain at least two columns: id and name, with the id column serving as the primary key and the name column containing the role’s name, such as “admin,” “privileged editor,” or “user.” There will be three fields in the user roles table: user id, role id, and created at. The user id column will relate to the users table’s id column, the role id column will refer to the roles table’s id column, and the created at column will hold the date and time when the user was assigned the role.

SQL Structure

CREATE TABLE roles (
  id SERIAL PRIMARY KEY,
  name VARCHAR(255) NOT NULL,
  description TEXT
);

CREATE TABLE users (
  id SERIAL PRIMARY KEY,
  username VARCHAR(255) NOT NULL,
  email VARCHAR(255) NOT NULL,
  password VARCHAR(255) NOT NULL,
  created_at TIMESTAMP NOT NULL DEFAULT NOW(),
  updated_at TIMESTAMP NOT NULL DEFAULT NOW()
);

CREATE TABLE user_roles (
  user_id INT REFERENCES users(id),
  role_id INT REFERENCES roles(id),
  PRIMARY KEY (user_id, role_id)
);

Implementation of Admin Panel Webpage:

The creation of an admin panel webpage is the next stage in the implementation of a simple admin system with a flexible privilege hierarchy. Only users with the “admin” role will have access to this website. Users can be found using the search option in the admin panel by name, email, or other criteria. The admin can grant or withdraw roles to users if they are found. Also, administrators should be allowed to take other actions like blocking or deleting rude users.

Middleware for Securing Specific Routes:

Finally, the system will include middleware for securing specific routes according to a user’s roles. This will ensure that only users with the appropriate roles can access specific pages. For example, only users with the “admin” role should be able to access the admin panel, while only users with the “privileged editor” role should be able to edit relationships and identifiers and trigger a reindex of the search server. If a user tries to access a page they do not have permission to, they will be redirected to a “forbidden” page.

Middleware

const isAdmin = (req, res, next) => {
  if (req.user && req.user.roles.includes('admin')) {
    return next();
  } else {
    return res.status(403).json({ message: 'You are not authorized to access this resource.' });
  }
};

const isEditor = (req, res, next) => {
  if (req.user && req.user.roles.includes('editor')) {
    return next();
  } else {
    return res.status(403).json({ message: 'You are not authorized to access this resource.' });
  }
};

Functions

const blockUser = async (userId) => {
  const user = await User.findOne({ id: userId });
  if (!user) {
    throw new Error('User not found.');
  }

  user.status = 'blocked';
  await user.save();
};

const deleteAbusiveUser = async (userId) => {
  const user = await User.findOne({ id: userId });
  if (!user) {
    throw new Error('User not found.');
  }

  // Delete user and associated data
  await Promise.all([
    User.deleteOne({ id: userId }),
    UserProfile.deleteOne({ user: userId }),
    UserRoles.deleteMany({ user: userId }),
    UserSessions.deleteMany({ user: userId }),
  ]);
};

const reindexSearchServer = async () => {
  // Trigger reindexing of search server
};

Contribution

I contributed to the setup documentation of the project because initially, it will be good practice for New Users to fork the repo first before contribution which I have mentioned in the docs of the project, It is a small contribution to the project. However, rather than this I explore the site Bookbrainz.org and its code structure, and database schema, and I analyze the latest commit done by the other contributors which make me the best-fit participant.

Timeline

Week 1-2:
Throughout the first two weeks, the roles and user roles tables will be added to the database schema. We will also change the present user interface to accommodate the new changes.

Week 2-4

We will start implementing the admin panel webpage in the next couple of weeks. The user will need to be mediated, the associated documentation will need to be generated, and a role for admins to assign and revoke responsibilities will need to be set up.

Week 5-6

We’ll start putting the admin panel webpage into use within the next two weeks. In order to do this, the admins will need to build up the capabilities for admins to assign and revoke responsibilities as well as design the user interface and create the relevant forms.

Week 7-8

We will continue to work on the admin panel homepage at this time, paying particular attention on developing a search feature that will enable admins to look for users by name, email, or other criteria.

Week 9

This week, we will test the entire system to make sure everything is working as it should. Additionally, we will identify and fix any flaws or issues we detect.

Week 10

Over the next week, the production environment will gradually be introduced to the new admin system. We will also provide training materials and documentation to help users understand how to use the new system.

Stretch Goal

I believe I will be able to complete the project within the time frame. I’d like to work on making relationship attributes more configurable, such as Date/Time.

Conclusion:

The implementation of a basic admin system with a flexible privilege hierarchy is critical to providing users with the necessary roles and special privileges in BookBrainz. The proposed modifications to the database schema, implementation of an admin panel webpage, and middleware for securing specific routes will enable admins to easily assign roles and give special privileges to users, making BookBrainz more efficient and effective.

Other Information

  1. Tell us about the computer(s) you have available for working on your SoC project!

    I have a LENOVO Ideapad Gaming 3 with a Ryzen 5 of 4000 series processor and 8 GB of RAM.

  2. When did you first start programming?

    I started programming when I was in class 11th.

  3. What type of music do you listen to?

    I often listen to soul and country music.

  4. If applying for a BookBrainz project: what type of books do you read?

    I love writings, novels, and poems. Everything by Robert Frost (Author) and William Shakespeare (Author) – BookBrainz.

  5. What aspects of the project you’re applying for (e.g., MusicBrainz, AcousticBrainz, etc.) interest you the most?

    I’ve been researching the BookBrainz, a community-maintained database of book metadata, including information on authors, publishers, and editions. The project offers a range of technical challenges, including data modeling, database design, and API development. I like the community and the discussions focused on improving the project as a whole.

  6. Have you ever used MusicBrainz to tag your files?

    No. I still have to give it a try.

  7. Have you contributed to other Open Source projects?

    Yes, I had contributed to many projects since October 2022. I have made contributions on all fronts, be it frontend, backend, documentation, some design changes(diagrams), tests, etc.

  8. How much time do you have available, and how would you plan to use it?

    I’ll be able to provide 30 hours per week. During most of the time this project is underway, I will be totally free. I will have enough time to complete everything on time, even if I am not entirely free.

2 Likes

Thanks for submitting a proposal @vivekumar08 :slight_smile:

I see some room for improvement; overall, more details on each step would help us both see more clearly the scope of the project and how we can organize our time.
I’ll copy over some of my comments from other posts:


Database structure: We already have an [existing user table](https://github.com/metabrainz/bookbrainz-site/blob/master/sql/schemas/bookbrainz.sql#L28) (called *editor* in our case) which does not look like that. Are you suggesting a new users table? If so, what for?
About roles: The proposed system doesn't suggest specific roles, but we are bound to end up with complicated use-cases and combinations of roles. Can I be an admin but not have some data modification rights? Can I have some admin rights, but not the right to delete users? Can I be a privileged user that can edit relationship types, but not have the right to reindex? What if we want to prevent a user from entering edits?

In short, the system as proposed does not seem very flexible or future-proof.

I know MusicBrainz uses another type of system to define permissions with bit masking I believe. Have a look at the flags they can set: musicbrainz-server/constants.js at master · metabrainz/musicbrainz-server · GitHub
You can ask someone from the MusicBrainz team in the #metabrainz IRC channel who could have more information about how this is used and set.
Consequently, the database tables and the middleware would be different.
For one, we would only need a numeric column on the user table to define multiple privileges, since the numeric flags can be combined.


The Implementation of Admin Panel Webpage section only describes very briefly what the actual meat of the project is. Instead of telling me what would happen, I’d like for you to show me how you would make it happen instead.

Visual mockups could also be helpful here to show where you are heading.

In blockUser, you set user.status to blocked. That column does not appear in your user table nor in the existing editor table.
It doesn’t look like this is using our existing ORM that we user to interface with the database.
Similarly, what are UserSessions?

It just looks like copy-pasted code to be honest. :confused:


Timeline: Here again a bit more details and step by step breakdown of the project would be useful.

Week 1 and 2 seem pretty long for what looks like simple database schema changes, unless I’m missing something.
You also mention user interface changes following that; what would those be?

Week 2-4 should probably say Week 3-4?

I don’t understand what the production environment will gradually be introduced to the new admin system. means in week 10. Can you rephrase that?

Thanks for reviewing my proposal :blush:
I will provide the solution that you seek in each section and try to resolve your queries.


Database Structure: Yes, you are right, and I have also gone through that. I am not suggesting any new table except roles & user_roles, I am also referring to the editor table for my users table and proposing an extra field called status, I didn’t write all the fields of the editor table & thanks for pointing me out in your about roles section that I didn’t write status field as well in my users table that I wrote in my proposal. :upside_down_face:


About roles: In my proposed method for implementing a basic admin system for BookBrainz, there will be two main roles for admins - a super admin and a regular admin. Here is an overview of the roles and their responsibilities:

Super Admin

  • Has access to all admin features and can perform any action in the admin panel.
  • Can manage editor accounts, including creating, editing, and deleting editor accounts.
  • Can manage roles and privileges for all users, including creating new roles and assigning privileges to users.
  • Can manage the search server, including triggering a reindex of the search server.
  • Can perform any action that a regular admin can perform.

Regular Admin

  • Can access the admin panel and perform limited actions based on their assigned role and privileges.
  • Can view and search for user accounts, but cannot create, edit or delete editor accounts.
  • Can manage roles and privileges for editors with lower privileges than their own.
  • Can block or delete abusive user accounts.
  • Can edit relationships and identifiers for books.

In this way, the admin system is designed to provide different levels of access and privileges to admins based on their role, while also ensuring that sensitive operations are restricted to super admins only. This approach allows for a flexible and scalable admin system that can be adapted to suit the needs of BookBrainz over time.

I hope that I addressed all the questions which you have asked

  • Can I be an admin but not have some data modification rights?
  • Can I have some admin rights, but not the right to delete users?
  • Can I be a privileged user that can edit relationship types, but not have the right to reindex?
  • What if we want to prevent a user from entering edits?

As you have recommended that MusicBrainz uses another type of system to define permissions with bit masking So, I searched about it and I got the method to implement this with my proposed method, it goes like this in the context of user/editor roles, each role can be associated with a binary bit mask that represents the set of permissions associated with that role. By the way, I don’t think that you need an example to understand but for better understanding. For example, a role with the ability to edit relationships and identifiers could be represented by the binary bit mask 0010 (2 in decimal), while a role with the ability to trigger a reindex could be represented by the binary bit mask 0100 (4 in decimal).

When a user is assigned a role, the system can combine the bit masks of all their assigned roles to create a single bit mask representing their combined permissions. This bit mask can then be used to determine whether the user has the appropriate privileges to access certain parts of the application or perform certain actions.

Using bit masking can make it easier to manage and modify permissions for user roles, as it allows for fine-grained control over the permissions associated with each role and the ability to combine multiple roles into a single set of permissions for each user. However, it also requires careful management to ensure that the bit masks are correctly assigned and combined to avoid conflicts or unintended consequences.

Somehow, if I missed anyone of your questions or you have any other questions related to the roles of admin or want to explain all the answers to your questions, we can discuss them, I am looking forward to resolving them.


The Implementation of Admin Panel Webpage
Let me explain a bit to you how we proceed in order to implement it.

  • The first step would be to design the user interface for the admin panel webpage. The user interface should be intuitive and easy to use and should allow admins to perform the necessary actions with minimal effort.
  • Next, we would need to define the routes for the admin panel webpage. We would want to secure the admin panel so that only users with the “admin” role can access it. We can define the routes using a popular Node.js framework such as Express
  • In order to secure the admin panel routes, we would need to implement middleware that checks the user’s role and grants or denies access accordingly. This middleware can be implemented using a popular Node.js authentication library such as JWT.
  • The admin panel should have a user search functionality that allows admins to search for users by name, email, or other criteria. This functionality can be implemented using a server-side search library such as Elasticsearch.
  • Once the admin has found the user they want to modify, they should be able to assign or revoke privileges from the user.
  • The admin panel should also allow admins to block or delete abusive users. This functionality can be implemented using server-side database operations, with appropriate validation and error handling.
  • Finally, admins with the appropriate privileges should be able to trigger a reindex of the search server.
    As you want some visual mockups for Admin Panel Webpage, I know they are very helpful to understand and give a clear idea of how it works but by the time constraint, I can just give some possible mockups
  1. User search functionality: The user search functionality would allow admins to search for users by name, email, or other criteria. The search results would show basic information about each user, such as their name, email, and role. Clicking on a user would take the admin to the user details page.
  2. User details page: The user details page would show detailed information about the selected user, including their name, email, role, privileges, and so on. The admin would be able to assign or revoke privileges from the user using checkboxes or buttons. The admin would also be able to block or delete the user using buttons.
  3. Reindex trigger functionality: The reindex trigger functionality would allow admins with the appropriate privileges to trigger a reindex of the search server. This functionality could be implemented using a simple button or toggle switch.

I think I have cleared myself about user. Status in the database structure of this reply.

It doesn’t look like this is using our existing ORM that we user to interface with the database.
It seems like I haven’t used this in the proposal but we will use this during the code implementation of the interface with the database

What are UserSessions?
UserSessions refer to the login sessions of users on a web application. When a user logs in to a web application, the application creates a session for the user that stores information about their authentication status and any relevant data associated with their account. This session allows the user to interact with the application without having to re-authenticate on each page or action. We can make it optional if you don’t get it.

The session is typically stored on the server side and is associated with a specific user account. When the user logs out or their session expires, the session is destroyed and the user is logged out of the application.

In the context of my proposal, UserSessions would be used to authenticate users and determine their privileges based on their assigned roles. Admins would have access to the admin panel only if their session identifies them as having admin privileges, while other users would not be able to access the admin panel.

It just looks like copy-pasted code to be honest. :confused:
My sincere apologies that my code feels you a copy pasted only because I only wrote the basic structure of the functions and didn’t explain everything in the proposal. It is obvious to think like that however, to be honest, I didn’t copy-pasted it even though I have written it on my own thinking maybe that’s why this is so confusing :smiling_face_with_tear:

Again, I am hoping that I cleared myself for this section as well.


Timeline: As you asked for more details and a step-by-step breakdown of the project would be helpful. So I revised it and try to complete this project within 7 weeks.

Week 1: Database schema changes and role management

  • Modify the database schema to add the necessary tables for role management
  • Implement functionality to create, edit, and delete roles in the admin panel

Week 2: User-role management and middleware

  • Add tables to attach users to roles and implement user-role management functionality in the admin panel
  • Implement middleware to secure specific routes based on user roles

Week 3: Admin panel and user search functionality

  • Build the admin panel web interface to allow admins to search for users, view user details, and assign roles
  • Implement user search functionality in the admin panel

Week 4: User role editing and user blocking/deletion

  • Extend the admin panel functionality to allow privileged users to edit user roles
  • Implement functionality to block or delete abusive users

Week 5: Relationship and identifier editing

  • Implement functionality to allow privileged users to edit relationships and identifiers

Week 6: Search server reindexing and testing

  • Implement functionality to allow privileged users to trigger a reindex of the search server
  • Test the admin system and role management functionality to ensure it meets the requirements and is secure

Week 7: Test the entire system

  • During this week, we will test the entire system to ensure that it is working correctly. We will also identify and fix any issues or bugs that we encounter.
  • We will deploy the new admin system to the production environment. We will also provide documentation and training materials to help users understand how to use the new system.

This timeline will satisfy your all queries.
Now let’s come to your questions related to the previous timeline:

  • You also mention user interface changes following that; what would those be?

    I have mentioned all the interface changes in the mockup of the Admin Panel Webpage.

  • Week 2-4 should probably say Week 3-4?

    Yes, that was a typo mistake.

  • I don’t understand what the production environment will gradually be introduced to the new admin system. means in week 10. Can you rephrase that?

    I have rephrased it in 2nd point of week 7 in the new timeline


Hoping that these are the changes which you are looking for and this reply will solve and give the answer to your queries and all the questions.

2 Likes