feat(rbac): enforce admin access checks and document permission model
This commit is contained in:
@@ -6,6 +6,7 @@ This section covers platform and implementation documentation for engineers and
|
||||
|
||||
- [Getting Started](/getting-started)
|
||||
- [Architecture](/architecture)
|
||||
- [RBAC And Permissions](/product-engineering/rbac-permission-model)
|
||||
- [Workflow](/workflow)
|
||||
|
||||
## Scope
|
||||
|
||||
62
docs/product-engineering/rbac-permission-model.md
Normal file
62
docs/product-engineering/rbac-permission-model.md
Normal file
@@ -0,0 +1,62 @@
|
||||
# RBAC And Permission Model
|
||||
|
||||
This document defines the current role model, permission matrix, and scope semantics used by the admin app.
|
||||
|
||||
## Roles
|
||||
|
||||
- `admin`: full system access
|
||||
- `manager`: broad operational access with selective limitations
|
||||
- `editor`: content-focused access with reduced user-management privileges
|
||||
|
||||
## Permission Scopes
|
||||
|
||||
- `own`: applies to records the user owns
|
||||
- `team`: applies to records within the user's team/org unit
|
||||
- `global`: applies across all records
|
||||
|
||||
Scope hierarchy (higher includes lower):
|
||||
|
||||
- `global` -> `team` -> `own`
|
||||
|
||||
## Permission Matrix Summary
|
||||
|
||||
### Admin
|
||||
|
||||
- All permissions at `global` scope
|
||||
|
||||
### Manager
|
||||
|
||||
- Dashboard and roadmap read: `global`
|
||||
- Pages, navigation, media, commissions, banner, news: `global`
|
||||
- Users: `read` at `global`, `write` at `team`
|
||||
|
||||
### Editor
|
||||
|
||||
- Dashboard: `read` at `global`
|
||||
- Pages/navigation/media/news: mostly `team`
|
||||
- Publish and workflow transitions: mostly `own`
|
||||
- Users and commissions: mostly `own`
|
||||
- Banner: `read` at `global`
|
||||
|
||||
## Enforcement Layers
|
||||
|
||||
- Route-level: `apps/admin/src/middleware.ts`
|
||||
- Action-level: server component checks in admin pages (`/` and `/todo`)
|
||||
- Shared model + checks: `packages/content/src/rbac.ts`
|
||||
|
||||
## Dev Role Fallback
|
||||
|
||||
For local development only:
|
||||
|
||||
- If no role cookie/header is present and environment is not production,
|
||||
role falls back to `CMS_DEV_ROLE` or `admin`.
|
||||
|
||||
Use this only as bootstrap behavior until full auth/session integration is finished.
|
||||
|
||||
## Related Tasks
|
||||
|
||||
See `TODO.md` MVP0 gate items:
|
||||
|
||||
- RBAC domain model finalized
|
||||
- RBAC route/action enforcement
|
||||
- Permission matrix documented and tested
|
||||
Reference in New Issue
Block a user