feat: implement RBAC permissions system

Add role-based access control with hierarchy: super_admin > team_admin > engineer > viewer. Adds is_super_admin boolean to User model (migration 010), centralized backend permissions module, frontend usePermissions hook, and UI enforcement (conditional Create/Edit buttons, editor redirect for viewers, role badge in header). All endpoint admin checks updated from role=="admin" to is_super_admin. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-05 02:42:44 -05:00
parent d7c5c8c9ce
commit 34daa26a67
20 changed files with 428 additions and 65 deletions
--- a/backend/app/models/user.py
+++ b/backend/app/models/user.py
@@ -25,6 +25,7 @@ class User(Base):
    password_hash: Mapped[str] = mapped_column(String(255), nullable=False)
    name: Mapped[str] = mapped_column(String(255), nullable=False)
    role: Mapped[str] = mapped_column(String(50), nullable=False, default="engineer")
+    is_super_admin: Mapped[bool] = mapped_column(Boolean, nullable=False, default=False)
    is_team_admin: Mapped[bool] = mapped_column(Boolean, nullable=False, default=False)
    team_id: Mapped[Optional[uuid.UUID]] = mapped_column(
        UUID(as_uuid=True),
@@ -50,10 +51,10 @@ class User(Base):

    @property
    def is_admin(self) -> bool:
-        """Returns True if user is a global (ResolutionFlow) admin."""
-        return self.role == "admin"
+        """Returns True if user is a super admin (system-wide access)."""
+        return self.is_super_admin

    @property
    def can_manage_team(self) -> bool:
-        """Returns True if user can manage their team (team admin or global admin)."""
-        return self.is_admin or (self.is_team_admin and self.team_id is not None)
+        """Returns True if user can manage their team (team admin or super admin)."""
+        return self.is_super_admin or (self.is_team_admin and self.team_id is not None)