feat: implement RBAC permissions system

Add role-based access control with hierarchy: super_admin > team_admin > engineer > viewer. Adds is_super_admin boolean to User model (migration 010), centralized backend permissions module, frontend usePermissions hook, and UI enforcement (conditional Create/Edit buttons, editor redirect for viewers, role badge in header). All endpoint admin checks updated from role=="admin" to is_super_admin. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-05 02:42:44 -05:00
parent d7c5c8c9ce
commit 34daa26a67
20 changed files with 428 additions and 65 deletions
--- a/backend/app/schemas/user.py
+++ b/backend/app/schemas/user.py
@@ -11,7 +11,7 @@ class UserBase(BaseModel):

 class UserCreate(UserBase):
    password: str = Field(..., min_length=10, description="Password must be at least 10 characters")
-    role: str = Field(default="engineer", description="User role: admin, engineer, or viewer")
+    role: str = Field(default="engineer", description="User role: engineer or viewer")
    invite_code: Optional[str] = Field(None, description="Invite code for registration (required when invite system is enabled)")


@@ -28,6 +28,7 @@ class UserLogin(BaseModel):
 class UserResponse(UserBase):
    id: UUID
    role: str
+    is_super_admin: bool = False
    is_team_admin: bool = False
    team_id: Optional[UUID] = None
    created_at: datetime