How do I setup basic user permissions so users can't run commands like "Hubot die" or "Hubot show storage"?
I can see there is a script called hubot-auth but that seems to be for implementing it in other scripts and not controlling existing commands.
There is a small chapter about it in Automation and Monitoring with Hubot book (shameless plug). Excerpt:
Only Admin users can assign roles. You don't have to create a role before assigning. All you have
to do is tell Hubot who is who using hubot <user> has <role> role. And you no longer have to use
those cryptic IDs anymore:
Tomas hubot Jesse Pinkman has developer role
Hubot Tomas: Ok, Jesse Pinkman has the 'developer' role.
Check the assigned roles using hubot what roles does <user> have?:
Tomas hubot what roles does Jesse Pinkman have?
Hubot Tomas: Jesse Pinkman has the following roles: developer.
To remove the role from somebody, use hubot <user> does not have <role> role:
Tomas hubot Jesse Pinkman does not have developer role
Hubot Tomas: Ok, Jesse Pinkman doesn't have the 'developer' role.
You can assign multiple roles to multiple users.
Now, time to break the bad news. While Hubot Auth is pretty flexible, you will have to edit your
scripts to apply those roles. Luckily, there is not much to edit. There is a simple function that
checks if user has a role - robot.Auth.hasRole(msg.envelope.user, '<role>').
This is how you use it in a script:
module.exports = (robot) ->
robot.respond /do dangerous stuff/i, (msg) ->
if robot.auth.hasRole(msg.envelope.user, 'developer')
doDangerousStuff(msg)
else
msg.reply "Sorry, you don't have 'developer' role"
doDangerousStuff = (msg) ->
msg.send "Doing dangerous stuff"