Spec: Describe grant delegation and verification mechanism (#184)
Overview:
- So far, the authorization system allows resources to grant access directly to people
- But in a situation of projects, teams, hierarchy of projects, hierarchy of teams etc. we need a flexible and efficient way for access rights to flow between actors
- This PR adds a delegation chain mechanisn, allowing actors to receive access and then pass it on to other actors, who can then use it to manipulate the resource (and/or pass it on to even more actors)
- Delegation is a standard feature of Object Capability based systems
- The delegation mechanism in this PR doesn't just allow anyone to freely delegate; it allows delegation in the way relevant to forge federation: Basically, repos/trackers/tools/services delegate to projects, which delegate to teams, which delegate to people
(This PR used to be #166, due to a Codeberg error I had to close it and reopen a fresh PR)
Co-authored-by: fr33domlover <fr33domlover@riseup.net>
Reviewed-on: https://codeberg.org/ForgeFed/ForgeFed/pulls/184
Reviewed-by: Anthony Wang <xy@noreply.codeberg.org>