feat(rbac): enforce admin access checks and document permission model

2026-02-10 12:16:36 +01:00
parent 4041a4ac4a
commit 947cb0a3d7
13 changed files with 458 additions and 8 deletions
--- a/apps/admin/src/app/page.tsx
+++ b/apps/admin/src/app/page.tsx
@@ -1,10 +1,21 @@
+import { hasPermission } from "@cms/content/rbac"
 import { listPosts } from "@cms/db"
 import { Button } from "@cms/ui/button"
 import Link from "next/link"
+import { redirect } from "next/navigation"
+
+import { resolveRoleFromServerContext } from "@/lib/access"

 export const dynamic = "force-dynamic"

 export default async function AdminHomePage() {
+  const role = await resolveRoleFromServerContext()
+
+  if (!role || !hasPermission(role, "news:read", "team")) {
+    redirect("/unauthorized?required=news:read&scope=team")
+  }
+
+  const canCreatePost = hasPermission(role, "news:write", "team")
  const posts = await listPosts()

  return (
@@ -26,7 +37,7 @@ export default async function AdminHomePage() {
      <section className="rounded-xl border border-neutral-200 p-6">
        <div className="mb-4 flex items-center justify-between">
          <h2 className="text-xl font-medium">Posts</h2>
-          <Button>Create post</Button>
+          <Button disabled={!canCreatePost}>Create post</Button>
        </div>

        <div className="space-y-3">