feat(rbac): enforce admin access checks and document permission model

2026-02-10 12:16:36 +01:00
parent 4041a4ac4a
commit 947cb0a3d7
13 changed files with 458 additions and 8 deletions
--- a/docs/.vitepress/config.mts
+++ b/docs/.vitepress/config.mts
@@ -19,6 +19,7 @@ export default defineConfig({
          { text: "Section Overview", link: "/product-engineering/" },
          { text: "Getting Started", link: "/getting-started" },
          { text: "Architecture", link: "/architecture" },
+          { text: "RBAC And Permissions", link: "/product-engineering/rbac-permission-model" },
          { text: "Workflow", link: "/workflow" },
        ],
      },
--- a/docs/product-engineering/index.md
+++ b/docs/product-engineering/index.md
@@ -6,6 +6,7 @@ This section covers platform and implementation documentation for engineers and

 - [Getting Started](/getting-started)
 - [Architecture](/architecture)
+- [RBAC And Permissions](/product-engineering/rbac-permission-model)
 - [Workflow](/workflow)

 ## Scope
--- a/docs/product-engineering/rbac-permission-model.md
+++ b/docs/product-engineering/rbac-permission-model.md
@@ -0,0 +1,62 @@
+# RBAC And Permission Model
+
+This document defines the current role model, permission matrix, and scope semantics used by the admin app.
+
+## Roles
+
+- `admin`: full system access
+- `manager`: broad operational access with selective limitations
+- `editor`: content-focused access with reduced user-management privileges
+
+## Permission Scopes
+
+- `own`: applies to records the user owns
+- `team`: applies to records within the user's team/org unit
+- `global`: applies across all records
+
+Scope hierarchy (higher includes lower):
+
+- `global` -> `team` -> `own`
+
+## Permission Matrix Summary
+
+### Admin
+
+- All permissions at `global` scope
+
+### Manager
+
+- Dashboard and roadmap read: `global`
+- Pages, navigation, media, commissions, banner, news: `global`
+- Users: `read` at `global`, `write` at `team`
+
+### Editor
+
+- Dashboard: `read` at `global`
+- Pages/navigation/media/news: mostly `team`
+- Publish and workflow transitions: mostly `own`
+- Users and commissions: mostly `own`
+- Banner: `read` at `global`
+
+## Enforcement Layers
+
+- Route-level: `apps/admin/src/middleware.ts`
+- Action-level: server component checks in admin pages (`/` and `/todo`)
+- Shared model + checks: `packages/content/src/rbac.ts`
+
+## Dev Role Fallback
+
+For local development only:
+
+- If no role cookie/header is present and environment is not production,
+  role falls back to `CMS_DEV_ROLE` or `admin`.
+
+Use this only as bootstrap behavior until full auth/session integration is finished.
+
+## Related Tasks
+
+See `TODO.md` MVP0 gate items:
+
+- RBAC domain model finalized
+- RBAC route/action enforcement
+- Permission matrix documented and tested