问题
How do I setup basic user permissions so users can't run commands like "Hubot die" or "Hubot show storage"?
I can see there is a script called hubot-auth but that seems to be for implementing it in other scripts and not controlling existing commands.
回答1:
There is a small chapter about it in Automation and Monitoring with Hubot book (shameless plug). Excerpt:
Assigning Roles
Only Admin users can assign roles. You don't have to create a role before assigning. All you have
to do is tell Hubot who is who using hubot <user> has <role> role. And you no longer have to use
those cryptic IDs anymore:
Tomas hubot Jesse Pinkman has developer role
Hubot Tomas: Ok, Jesse Pinkman has the 'developer' role.
Check the assigned roles using hubot what roles does <user> have?:
Tomas hubot what roles does Jesse Pinkman have?
Hubot Tomas: Jesse Pinkman has the following roles: developer.
To remove the role from somebody, use hubot <user> does not have <role> role:
Tomas hubot Jesse Pinkman does not have developer role
Hubot Tomas: Ok, Jesse Pinkman doesn't have the 'developer' role.
You can assign multiple roles to multiple users.
Applying Roles
Now, time to break the bad news. While Hubot Auth is pretty flexible, you will have to edit your
scripts to apply those roles. Luckily, there is not much to edit. There is a simple function that
checks if user has a role - robot.Auth.hasRole(msg.envelope.user, '<role>').
This is how you use it in a script:
module.exports = (robot) ->
robot.respond /do dangerous stuff/i, (msg) ->
if robot.auth.hasRole(msg.envelope.user, 'developer')
doDangerousStuff(msg)
else
msg.reply "Sorry, you don't have 'developer' role"
doDangerousStuff = (msg) ->
msg.send "Doing dangerous stuff"
回答2:
As stated in the original answer, you have to be a Hubot admin in order to assign roles. To define the Hubot admins, you have to set the HUBOT_AUTH_ADMIN environment variable to a comma-delimited string of IDs of the admins. If you're using Slack, you can use their API to figure the IDs of the users that should be admins. For Slack these IDs will look something like U123ABC1D.
回答3:
I can see that hubot die is defined in the ping.coffee script. Maybe you can have a check there on authorized users when the command is run?
Something like this?
if msg.message.user.name in [authorized_user1, authorized_user2,..]
# Do more stuff
The same can be done for the other show storage script too. I am not really sure if this is the best way to go about it though as you will have to modify all the scripts that you do not want to be executed.
A cleaner approach would be to set the list of users as a env variable at startup(kind of like what hubot-auth does) and then check it inside each script instead of hard coding user names.
Hope that helps.
来源:https://stackoverflow.com/questions/24676910/how-to-setup-hubot-basic-permissions