feat: implement RBAC permissions system

Add role-based access control with hierarchy: super_admin > team_admin > engineer > viewer. Adds is_super_admin boolean to User model (migration 010), centralized backend permissions module, frontend usePermissions hook, and UI enforcement (conditional Create/Edit buttons, editor redirect for viewers, role badge in header). All endpoint admin checks updated from role=="admin" to is_super_admin. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-05 02:42:44 -05:00
parent d7c5c8c9ce
commit 34daa26a67
20 changed files with 428 additions and 65 deletions
--- a/backend/alembic/versions/010_add_is_super_admin.py
+++ b/backend/alembic/versions/010_add_is_super_admin.py
@@ -0,0 +1,33 @@
+"""add is_super_admin to users
+
+Revision ID: 010
+Revises: 009
+Create Date: 2026-02-05
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision: str = '010'
+down_revision: Union[str, None] = '009'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    # Add is_super_admin flag
+    op.add_column('users',
+        sa.Column('is_super_admin', sa.Boolean(), nullable=False, server_default=sa.text('false'))
+    )
+    # Migrate existing admin users: promote to super admin AND normalize role
+    op.execute("UPDATE users SET is_super_admin = TRUE, role = 'engineer' WHERE role = 'admin'")
+
+
+def downgrade() -> None:
+    # Restore admin role for super admins before dropping column
+    op.execute("UPDATE users SET role = 'admin' WHERE is_super_admin = TRUE")
+    op.drop_column('users', 'is_super_admin')