Skip to content

Rooms, Permissions, and Preferences

SyncTV has two role layers. Keep them separate.

LayerRolesScope
Global user roleroot, admin, userPlatform administration, user management, room management, system settings
Room rolecreator, admin, member, guestPlayback, members, media, chat, and settings inside one room

A global admin is not automatically a room admin. A room admin is not a platform administrator.

RoleBoundary
rootSuper administrator; can manage root/admin/user accounts, global settings, and all rooms
adminPlatform administrator; can manage normal users and rooms, but cannot modify root or equally privileged admins
userNormal user; uses rooms and media features according to business permissions

User status is derived from ban records:

StatusEffect
activeCan log in, create rooms, and join rooms
bannedCannot log in, create rooms, or join rooms
Room roleDefault meaning
creatorRoom creator; has all room permissions and cannot be weakened by room settings
adminRoom administrator; can manage members, playback, media, room settings, and moderation by default
memberNormal member; can chat, use WebRTC, create/edit their own media resources, delete their own media resources by ownership, and view media resources/member/chat data by default
guestGuest, not a room member. Guests have no media-resource, chat, or administration permissions by default. A room can only grant guest-safe capabilities such as member list, chat history, or WebRTC

Room roles provide base permissions. Room settings and member overrides then add or remove permissions.

Guests can enter public rooms that explicitly allow guest access, but they do not become room members. Guest permissions use their own ceiling and do not inherit from member.

CapabilityDefaultCan be granted through guest permissionsNotes
Basic realtime room stateYesNo setting requiredLets the client show room existence, settings, and playback state after connecting
Member listNoview_member_listRead-only
Chat historyNoview_chat_historyRead-only
WebRTC signalingNouse_webrtcAllows signaling participation only; does not grant room administration
Media resourcesNoNoGuests cannot read, browse, or manage media resources
Chat sendingNoNosend_chat is only for signed-in members
Playback control, member management, room settingsNoNoRequires a signed-in member with the matching permission

Effective permissions are evaluated in three layers:

Room effective permission evaluation model showing room role base permissions, room settings added and removed permissions, member added and removed overrides, and the creator special case that always keeps all room permissions. Room effective permission evaluation model showing room role base permissions, room settings added and removed permissions, member added and removed overrides, and the creator special case that always keeps all room permissions.
Effective permissions start from the room role base, then apply room settings and member-specific overrides. If the same bit is both added and removed, removal wins.

Rules:

  • creator always has all room permissions.
  • Add is applied before remove. If the same bit is both added and removed, remove wins.
  • memberAddedPermissions cannot exceed the admin-level ceiling.
  • guestAddedPermissions uses a dedicated guest ceiling. It cannot grant media-resource, chat-write, or administration permissions.
  • DELETE_ROOM is not a room-delegable permission. Room deletion belongs to the creator or the platform management plane.

Runtime settings and administration surfaces use stable snake_case permission names.

Permission nameMeaning
send_chatSend chat messages
create_media_resourceCreate media resources and edit media resources created by the actor
delete_media_resource_anyDelete media resources created by other users or without a recorded creator
reorder_media_resourcesReorder media resources
clear_media_resourcesClear media resource queues
live_controlManage live streams and create publish keys
play_controlPlay, pause, and seek
change_current_mediaSwitch current media
change_playback_rateChange playback speed
approve_memberApprove or reject join requests
kick_memberKick members and start a temporary rejoin cooldown
set_member_permissionsChange member permissions
add_memberAdd members directly
set_room_settingsModify room settings
delete_chatDelete chat messages
delete_roomDelete room; not a normal room-delegable permission
view_media_resourcesView media resources
view_member_listView member list
view_chat_historyView chat history
use_webrtcUse WebRTC voice/video features

Deleting a media resource created by the actor is an ownership business rule, not a separate permission bit. A member can always delete their own media resources, even without create_media_resource; creating media resources and editing their own media resources require create_media_resource.

Room settings control join policy, room features, and default permissions.

SettingDefaultMeaning
passwordEmptyInitial password on room creation; password APIs update it later
allowGuestJoinfalseAllow guests to join
maxMembers100Maximum members; upper bound 10000
requireApprovalfalseRequire join approval
allowAutoJointrueAllow eligible users to auto-join
chatEnabledtrueEnable chat
autoPlay{}Auto-play policy, for example {"enabled":true,"mode":1,"delay":5}
adminAddedPermissions / adminRemovedPermissionsEmpty permission setAdmin default permission changes
memberAddedPermissions / memberRemovedPermissionsEmpty permission setMember default permission changes
guestAddedPermissions / guestRemovedPermissionsEmpty permission setGuest default permission changes

Example:

Terminal window
synctv room settings get <ROOM_ID>
synctv room settings update <ROOM_ID> --settings-json '{"requireApproval":true}'

Member overrides are for exceptions, such as muting one member, granting playback control to one member, or removing ban capability from one administrator.

Semantics:

  • Base permissions come from the room role.
  • added_permissions adds normal member permissions.
  • removed_permissions removes normal member permissions.
  • Administrators can also have adminAddedPermissions and adminRemovedPermissions.
  • Weakening creator permissions has no effect.

Management rules:

  • Use roles for long-term permission design and member overrides for exceptions.
  • Too many overrides make troubleshooting harder; clean up stale overrides.
  • When removing administrator privileges, consider changing the role instead of stacking many deny bits.

User preferences are database-backed user-level settings, not YAML configuration.

FieldDefaultMeaning
two_factor_enabledfalseUser-level 2FA
notifications.room_invitation_in_apptrueIn-app room invitation notifications
notifications.room_event_in_apptrueIn-app room event notifications
notifications.system_announcement_in_apptrueIn-app system announcements
notifications.room_invitation_emailfalseEmail room invitation notifications
notifications.room_event_emailfalseEmail room event notifications
notifications.system_announcement_emailtrueEmail system announcements

Provider instance bindings are not user preferences. They are stored on provider credentials when the user logs in to a provider through a specific instance. The database table also has a settings JSONB extension payload for low-priority experimental preferences. Stable product preferences should use explicit columns. Do not store secrets, tokens, cookies, passwords, or provider credentials in it.

2FA constraints:

  • Enabling 2FA requires at least two local methods: password, WebAuthn/passkey, verified email.
  • OAuth2 is not counted as a local 2FA factor, but 2FA-enabled users may log in with OAuth2.
  • Removing an authentication method while 2FA is enabled must still leave at least two usable local methods.

Use Permission Names

Permission configuration should use stable permission-name sets so changes are readable, reviewable, and easy to roll back.

Separate Scopes

Platform admin and room admin are separate concepts. Diagnose permission issues by layer first.

Preferences Are Runtime Data

User preferences are changed through API/CLI and should not live in YAML or Helm values.

Verify Behavior

After changing join rules, permissions, or 2FA, test real login, room join, and playback flows.