ryan/lunarfront-app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Implement RBAC with permissions, roles, and route guards

Browse Source 
- permission, role, role_permission, user_role_assignment tables
- 42 system permissions across 13 domains
- 6 default roles: Admin, Manager, Sales Associate, Technician, Instructor, Viewer
- Permission inheritance: admin implies edit implies view
- requirePermission() Fastify decorator on ALL routes
- System permissions and roles seeded per company
- Test helpers and API test runner seed RBAC data
- All 42 API tests pass with permissions enforced
This commit is contained in:
Ryan Moon
2026-03-28 17:00:42 -05:00
parent dd03fb79ef
commit 4a1fc608f0
13 changed files with 679 additions and 79 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
packages/backend/src/routes/v1/lookups.ts
View File

@@ -5,12 +5,12 @@ import { ConflictError, ValidationError } from '../../lib/errors.js'
function createLookupRoutes(prefix: string, service: typeof UnitStatusService) {
const routes: FastifyPluginAsync = async (app) => {
app.get(`/${prefix}`, { preHandler: [app.authenticate] }, async (request, reply) => {
app.get(`/${prefix}`, { preHandler: [app.authenticate, app.requirePermission('inventory.view')] }, async (request, reply) => {
const data = await service.list(app.db, request.companyId)
return reply.send({ data })
})
app.post(`/${prefix}`, { preHandler: [app.authenticate] }, async (request, reply) => {
app.post(`/${prefix}`, { preHandler: [app.authenticate, app.requirePermission('inventory.admin')] }, async (request, reply) => {
const parsed = LookupCreateSchema.safeParse(request.body)
if (!parsed.success) {
throw new ValidationError('Validation failed', parsed.error.flatten())
@@ -25,7 +25,7 @@ function createLookupRoutes(prefix: string, service: typeof UnitStatusService) {
return reply.status(201).send(row)
})
app.patch(`/${prefix}/:id`, { preHandler: [app.authenticate] }, async (request, reply) => {
app.patch(`/${prefix}/:id`, { preHandler: [app.authenticate, app.requirePermission('inventory.admin')] }, async (request, reply) => {
const { id } = request.params as { id: string }
const parsed = LookupUpdateSchema.safeParse(request.body)
if (!parsed.success) {
@@ -36,7 +36,7 @@ function createLookupRoutes(prefix: string, service: typeof UnitStatusService) {
return reply.send(row)
})
app.delete(`/${prefix}/:id`, { preHandler: [app.authenticate] }, async (request, reply) => {
app.delete(`/${prefix}/:id`, { preHandler: [app.authenticate, app.requirePermission('inventory.admin')] }, async (request, reply) => {
const { id } = request.params as { id: string }
const row = await service.delete(app.db, request.companyId, id)
if (!row) return reply.status(404).send({ error: { message: 'Not found', statusCode: 404 } })