Mastodon: Add a "moderator" user status

I'd be happy to contribute this. Before I start, there's a few things that should be discussed:

• Which of the admin pages should moderators have access to? I'm thinking Reports, Accounts and Domain Blocks. PubSubHubbub, Sidekiq, PgHero and Site Settings would remain admin-only.
• Thoughts on switching to an enum for the role, and migrating the admin bool into that? Adding more bools feels weird, but I don't feel too strongly about this.
• I'm thinking the access rules are still pretty simple, so we don't necessarily need to add something like pundit, but if anyone feels we'd benefit from that down the line, I can add it.

An enum for role feels weird. I think it makes more sense to use some sort of bitfield, right?

A bitmask would make sense if there's a 1:n (has_many) relation from users to roles. That's probably unnecessarily complex for the simple "admin/moderator/user" use-case Mastodon has.

@patf I am going to try and get you some more answers to your questions, so you can further help with this.

Hey, I'm going to clear up these 3 comments about "verified check marks", as it does not contribute to this feature discussion at all.
As moderator user status does not refer to a "status symbol" but actually having a user setting in the backend which allows moderators to moderate, while not having full admin access (which a lot of admins may be wary of handing out)

@patf yes, nearly every website with a permissions setup has a has_many relationship. anything else is incredibly cumbersome and limiting in the long run.

@mal0ki what are the practical benefits of not having "full admin access"? like, what are the specific permissions that admins would have and moderators wouldn't?

Things that I can think off the top of my head maybe shouldn't be visible to moderators-as-distinct-from-admins:

• the email addresses of individual users
• IP addresses of individual users (except that this is crucial for figuring out alt accounts)
• changing site settings
• changing domain blocks (destructive broad scope instance-wide action)

PGHero, Sidekiq, Pubsubhubb are "technical", surely, but they have no personally identifiable information, and none or very minimal destructive capabilities. I'm not sure why it makes sense to restrict access to them.

They can stop sidekiq workers if moderators can access sidekiq web console, so I think sidekiq should not be accessible by moderators.

As nullkal mentioned, sidekiq allows you to mess with queued jobs, pghero allows you to kill queries/connections, so they should definitely not be accessible to anyone but admins.

I think mods should only have access to reports and accounts. Domain blocks should remain admin-only.

Also ensure we can promote/demote people to admin/mod via the admin control panel, i shouldnt have to log in to the user terminal the site is running under (as per most mastodon guides on the internet) to promote someone. Its a needless security risk.

I guess the only thing I'll push back on is that as a mod, it's often super helpful for me to keep an eye on the sidekiq queue if I notice that there's some sluggishness or whatever, and that's something that admins can't be doing all the time.

👋 Is there still motion on this, or a list of what's needed? This is something I would very much like as an admin of my own instance, potentially even trying to help development.

I also feel like this is something that would be helpful for the mastodon.social admins, and I'm kind of curious how they're dealing with the current deluge of reports they must be getting.

+1 on this new "Moderator" role only having access to "Accounts" and "Reports"

I like the idea of a new moderator role. What about custom emojis, though?