Add admin permissions window with server-side permission management

Extends the AdminRequest protocol with permission CRUD operations
(GetPermissions, SetUserGroup, SetUserNode, SetGroupNode, CreateGroup,
DeleteGroup, SetGroupParent). Any authenticated user can view the
permission snapshot; only admins can modify groups, nodes, and user
assignments. Server-side changes persist to permissions.xml via the
existing PermissionManager. Client-side adds a new Permissions tab
in Settings with read-only display for normal users and full edit
controls for admins.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: dooly123

Basis Server/BasisNetworkServer/Security/BasisPlayerModeration.cs

@@ -1,5 +1,6 @@
 using Basis.Network.Core;
 using BasisNetworkCore;
+using BasisPermissions;
 using System;
 using System.Collections.Concurrent;
 using System.Collections.Generic;
@@ -9,6 +10,7 @@
 using System.Text;
 using System.Xml.Serialization;
 using static BasisNetworkCore.Serializable.SerializableBasis;
+using static BasisPermissions.PermissionManager;
 
 namespace BasisNetworkServer.Security
 {
@@ -259,16 +261,29 @@ public static void OnAdminMessage(NetPeer peer, NetPacketReader reader)
                 SendBackMessage(peer, msg);
                 return;
             }
+
+            AdminRequest AdminRequest = new AdminRequest();
+            AdminRequest.Deserialize(reader);
+            AdminRequestMode Mode = AdminRequest.GetAdminRequestMode();
+
+            // GetPermissions is allowed for all authenticated users (read-only view)
+            if (Mode == AdminRequestMode.GetPermissions)
+            {
+                HandleGetPermissions(peer, UUID);
+                reader.Recycle();
+                return;
+            }
+
+            // All other admin operations require admin privileges
             if (!NetworkServer.AuthIdentity.IsNetPeerAdmin(UUID))
             {
                 string msg = $"Was not admin! {UUID}";
                 BNL.LogError(msg);
                 SendBackMessage(peer, msg);
+                reader.Recycle();
                 return;
             }
-            AdminRequest AdminRequest = new AdminRequest();
-            AdminRequest.Deserialize(reader);
-            AdminRequestMode Mode = AdminRequest.GetAdminRequestMode();
+
             switch (Mode)
             {
                 case AdminRequestMode.Ban:
@@ -324,10 +339,6 @@ public static void OnAdminMessage(NetPeer peer, NetPacketReader reader)
                     }
                     SendBackMessage(peer, ReturnMessage);
                     break;
-                //  case AdminRequestMode.RequestBannedPlayers:
-                //      break;
-                // case AdminRequestMode.TeleportTo:
-                //    break;
                 case AdminRequestMode.TeleportAll:
 
                     Writer = NetworkServer.RentWriter();
@@ -371,6 +382,27 @@ public static void OnAdminMessage(NetPeer peer, NetPacketReader reader)
                     NetworkServer.TrySend(peer, Writer, BasisNetworkCommons.AdminChannel, DeliveryMethod.ReliableOrdered);
                     NetworkServer.ReturnWriter(Writer);
                     break;
+
+                // --- Permission management ---
+                case AdminRequestMode.SetUserGroup:
+                    HandleSetUserGroup(peer, reader);
+                    break;
+                case AdminRequestMode.SetUserNode:
+                    HandleSetUserNode(peer, reader);
+                    break;
+                case AdminRequestMode.SetGroupNode:
+                    HandleSetGroupNode(peer, reader);
+                    break;
+                case AdminRequestMode.CreateGroup:
+                    HandleCreateGroup(peer, reader);
+                    break;
+                case AdminRequestMode.DeleteGroup:
+                    HandleDeleteGroup(peer, reader);
+                    break;
+                case AdminRequestMode.SetGroupParent:
+                    HandleSetGroupParent(peer, reader);
+                    break;
+
                 default:
                     BNL.LogError("Missing Mode!");
                     ReturnMessage = "Missing mode";
@@ -379,6 +411,128 @@ public static void OnAdminMessage(NetPeer peer, NetPacketReader reader)
             }
             reader.Recycle();
         }
+
+        #region Permission Handlers
+
+        /// <summary>
+        /// Serializes the full permission store snapshot and sends it back to the requesting peer.
+        /// Any authenticated user can call this (read-only).
+        /// Also includes a bool indicating whether the requesting user is an admin.
+        /// </summary>
+        private static void HandleGetPermissions(NetPeer peer, string requestingUUID)
+        {
+            PermissionStore snapshot = PermissionIntegration.Manager.Snapshot();
+            bool isAdmin = NetworkServer.AuthIdentity.IsNetPeerAdmin(requestingUUID);
+
+            NetDataWriter writer = NetworkServer.RentWriter();
+            AdminRequest outRequest = new AdminRequest();
+            outRequest.Serialize(writer, AdminRequestMode.GetPermissions);
+            writer.Put(isAdmin);
+
+            // Serialize groups
+            writer.Put(snapshot.Groups.Count);
+            foreach (var g in snapshot.Groups.Values)
+            {
+                writer.Put(g.Name);
+                writer.Put(g.Nodes.Count);
+                foreach (string node in g.Nodes)
+                    writer.Put(node);
+                writer.Put(g.Parents.Count);
+                foreach (string parent in g.Parents)
+                    writer.Put(parent);
+            }
+
+            // Serialize users
+            writer.Put(snapshot.Users.Count);
+            foreach (var u in snapshot.Users.Values)
+            {
+                writer.Put(u.Uuid);
+                writer.Put(u.Groups.Count);
+                foreach (string group in u.Groups)
+                    writer.Put(group);
+                writer.Put(u.Nodes.Count);
+                foreach (string node in u.Nodes)
+                    writer.Put(node);
+            }
+
+            NetworkServer.TrySend(peer, writer, BasisNetworkCommons.AdminChannel, DeliveryMethod.ReliableOrdered);
+            NetworkServer.ReturnWriter(writer);
+            BNL.Log($"Sent permission snapshot to {requestingUUID} (admin={isAdmin})");
+        }
+
+        private static void HandleSetUserGroup(NetPeer peer, NetPacketReader reader)
+        {
+            string uuid = reader.GetString();
+            string group = reader.GetString();
+            bool add = reader.GetBool();
+
+            if (add)
+                PermissionIntegration.Manager.AddUserToGroup(uuid, group);
+            else
+                PermissionIntegration.Manager.RemoveUserFromGroup(uuid, group);
+
+            SendBackMessage(peer, $"{(add ? "Added" : "Removed")} user {uuid} {(add ? "to" : "from")} group '{group}'");
+        }
+
+        private static void HandleSetUserNode(NetPeer peer, NetPacketReader reader)
+        {
+            string uuid = reader.GetString();
+            string node = reader.GetString();
+            bool add = reader.GetBool();
+
+            if (add)
+                PermissionIntegration.Manager.AddUserNode(uuid, node);
+            else
+                PermissionIntegration.Manager.RemoveUserNode(uuid, node);
+
+            SendBackMessage(peer, $"{(add ? "Added" : "Removed")} node '{node}' {(add ? "to" : "from")} user {uuid}");
+        }
+
+        private static void HandleSetGroupNode(NetPeer peer, NetPacketReader reader)
+        {
+            string groupName = reader.GetString();
+            string node = reader.GetString();
+            bool add = reader.GetBool();
+
+            if (add)
+                PermissionIntegration.Manager.AddGroupNode(groupName, node);
+            else
+                PermissionIntegration.Manager.RemoveGroupNode(groupName, node);
+
+            SendBackMessage(peer, $"{(add ? "Added" : "Removed")} node '{node}' {(add ? "to" : "from")} group '{groupName}'");
+        }
+
+        private static void HandleCreateGroup(NetPeer peer, NetPacketReader reader)
+        {
+            string groupName = reader.GetString();
+            PermissionIntegration.Manager.GetOrCreateGroup(groupName);
+            SendBackMessage(peer, $"Created group '{groupName}'");
+        }
+
+        private static void HandleDeleteGroup(NetPeer peer, NetPacketReader reader)
+        {
+            string groupName = reader.GetString();
+            if (PermissionIntegration.Manager.DeleteGroup(groupName))
+                SendBackMessage(peer, $"Deleted group '{groupName}'");
+            else
+                SendBackMessage(peer, $"Failed to delete group '{groupName}' (not found)");
+        }
+
+        private static void HandleSetGroupParent(NetPeer peer, NetPacketReader reader)
+        {
+            string groupName = reader.GetString();
+            string parentName = reader.GetString();
+            bool add = reader.GetBool();
+
+            if (add)
+                PermissionIntegration.Manager.AddGroupParent(groupName, parentName);
+            else
+                PermissionIntegration.Manager.RemoveGroupParent(groupName, parentName);
+
+            SendBackMessage(peer, $"{(add ? "Added" : "Removed")} parent '{parentName}' {(add ? "to" : "from")} group '{groupName}'");
+        }
+
+        #endregion
         public static void SendBackMessage(NetPeer Peer, string ReturnMessage)
         {
             if (string.IsNullOrEmpty(ReturnMessage))

Basis Server/BasisNetworkServer/Security/PermissionManager.cs

@@ -428,6 +428,32 @@ public void RemoveGroupParent(string groupName, string parentName)
             SaveToXmlDebounced();
         }
 
+        public bool DeleteGroup(string groupName)
+        {
+            if (string.IsNullOrWhiteSpace(groupName)) return false;
+
+            _lock.EnterWriteLock();
+            try
+            {
+                if (!_store.Groups.Remove(groupName))
+                    return false;
+
+                // Remove this group from all users that reference it
+                foreach (var u in _store.Users.Values)
+                    u.Groups.Remove(groupName);
+
+                // Remove this group as a parent from other groups
+                foreach (var g in _store.Groups.Values)
+                    g.Parents.Remove(groupName);
+
+                TouchAll();
+            }
+            finally { _lock.ExitWriteLock(); }
+
+            SaveToXmlDebounced();
+            return true;
+        }
+
         // Snapshot store for saving or admin viewing
         public PermissionStore Snapshot()
         {

Basis/Packages/com.basis.framework/BasisUI/Menus/Main Menu Providers/SettingsProvider.cs

@@ -56,6 +56,7 @@ public override void RunAction()
             AddLazyTab(tabGroup, "Storage", () => SettingsProviderStorage.StorageTab(tabGroup));
             AddLazyTab(tabGroup, "Console", () => SettingsProviderConsoleTab.ConsoleTab(tabGroup));
             AddLazyTab(tabGroup, "Developer", () => DeveloperTab(tabGroup));
+            AddLazyTab(tabGroup, "Permissions", () => SettingsProviderPermissionsTab.PermissionsTab(tabGroup));
             AddLazyTab(tabGroup, "Admin", () => SettingsProviderAdminTab.AdminTab(tabGroup));
 
             panel.Descriptor.ForceRebuild();