Permissions
TL;DR
The PermissionManager controls who can use your CMDOP bot and what they can do. Five
levels: NONE, READ, EXECUTE, FILES, ADMIN. Grant per-user, per-machine permissions with
pm.grant(). Supports wildcard machines, command whitelists/blacklists, persistent
JSON storage, and integration with Telegram/Discord/Slack channels.
Control access to your CMDOP bot with the built-in permission system.
What permission levels are available?
| Level | Value | Access |
|---|---|---|
NONE | 0 | No access |
READ | 10 | View status, list directories, read files |
EXECUTE | 20 | Run shell commands |
FILES | 30 | File write and delete operations |
ADMIN | 100 | Full access to all machines and commands |
How do I set up permissions?
from cmdop_bot import PermissionManager, PermissionLevel
# Create a new permission manager instance
pm = PermissionManager()
# Add admin — full access to all machines and commands
pm.add_admin("telegram:123456789")
# Grant execute permission for a specific machine
pm.grant(
user_id="discord:987654321",
machine="prod-server",
level=PermissionLevel.EXECUTE, # Can run shell commands on prod-server
)
# Grant read-only access to a different user/machine
pm.grant(
user_id="slack:U12345678",
machine="logs-server",
level=PermissionLevel.READ, # Can only view status and read files
)How do I use permissions with bots?
Telegram
from cmdop_bot.channels.telegram import TelegramBot
from cmdop_bot import PermissionManager, PermissionLevel
# Set up permission manager with admin and a regular user
pm = PermissionManager()
pm.add_admin("telegram:123456789") # This user gets full access
pm.grant("telegram:987654321", machine="dev-server", level=PermissionLevel.EXECUTE)
# Pass the permission manager to the bot via the permissions parameter
bot = TelegramBot(
token="YOUR_BOT_TOKEN",
cmdop_api_key="cmdop_xxx",
permissions=pm, # Bot enforces these permissions on every command
)
bot.run() # Start listening for Telegram messagesDiscord
from cmdop_bot.channels.discord import DiscordBot
from cmdop_bot import PermissionManager
# Create permission manager with a Discord admin
pm = PermissionManager()
pm.add_admin("discord:123456789")
# Attach permissions to the Discord bot
bot = DiscordBot(
token="YOUR_BOT_TOKEN",
cmdop_api_key="cmdop_xxx",
permissions=pm, # Bot enforces these permissions on every command
)
bot.run() # Start listening for Discord messagesHow are users identified?
Format: {channel}:{user_id}
| Channel | Format | Example |
|---|---|---|
| Telegram | telegram:{user_id} | telegram:123456789 |
| Discord | discord:{user_id} | discord:987654321 |
| Slack | slack:{user_id} | slack:U12345678 |
How do I check permissions?
pm = PermissionManager()
pm.add_admin("telegram:123456789") # Admin user
pm.grant("telegram:555555555", machine="dev-server", level=PermissionLevel.EXECUTE)
# check() returns True/False — admin has access to every machine
can_run = pm.check(
user_id="telegram:123456789",
machine="any-server",
command="shell",
)
print(can_run) # True — admins bypass all permission checks
# Non-admin: check for a machine they have access to
can_run = pm.check(
user_id="telegram:555555555",
machine="dev-server",
command="shell",
)
print(can_run) # True (has EXECUTE on dev-server)
# Non-admin: check for a machine they do NOT have access to
can_run = pm.check(
user_id="telegram:555555555",
machine="prod-server",
command="shell",
)
print(can_run) # False (no permission for prod-server)How do I require permissions?
Raises PermissionDeniedError if denied:
from cmdop_bot import PermissionManager
from cmdop_bot.exceptions import PermissionDeniedError
pm = PermissionManager()
try:
# require() raises an exception instead of returning False
pm.require(
user_id="telegram:999999999",
machine="prod-server",
command="shell",
)
except PermissionDeniedError as e:
# Catch the error and handle the denied access gracefully
print(f"Access denied: {e}")How do wildcard permissions work?
# "*" matches all machines — user can execute commands on any machine
pm.grant("telegram:123456789", machine="*", level=PermissionLevel.EXECUTE)How do command whitelists and blacklists work?
Fine-grained control over which commands a user can run:
from cmdop_bot.models import Permission, PermissionLevel
# Create a permission with an explicit whitelist of allowed commands
perm = Permission(
user_id="telegram:555555555",
machine="prod-server",
level=PermissionLevel.EXECUTE,
allowed_commands=["shell", "ls"], # Only these commands are permitted
denied_commands=None, # No explicit denials needed here
)
perm.can_execute("shell") # True — "shell" is in allowed_commands
perm.can_execute("agent") # False — "agent" is not in allowed_commandsHow do I persist permissions to a file?
Save permissions to JSON file:
from pathlib import Path
from cmdop_bot import PermissionManager, PermissionLevel
# Pass storage_path to auto-load on init and auto-save on every change
pm = PermissionManager(storage_path=Path("permissions.json"))
pm.add_admin("telegram:123456789") # Saved to permissions.json automatically
pm.grant("discord:987654321", machine="dev-server", level=PermissionLevel.EXECUTE)
# On restart, create a new manager with the same path — data is restored
pm2 = PermissionManager(storage_path=Path("permissions.json"))
print(pm2.is_admin("telegram:123456789")) # True — loaded from fileHow do I revoke permissions?
# Remove a specific machine permission for a user
pm.revoke(user_id="discord:987654321", machine="dev-server")
# Remove admin privileges from a user
pm.remove_admin("telegram:123456789")Last updated on