feat: implement RBAC permissions system

Add role-based access control with hierarchy: super_admin > team_admin > engineer > viewer. Adds is_super_admin boolean to User model (migration 010), centralized backend permissions module, frontend usePermissions hook, and UI enforcement (conditional Create/Edit buttons, editor redirect for viewers, role badge in header). All endpoint admin checks updated from role=="admin" to is_super_admin. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-05 02:42:44 -05:00
parent d7c5c8c9ce
commit 34daa26a67
20 changed files with 428 additions and 65 deletions
--- a/frontend/src/pages/TreeEditorPage.tsx
+++ b/frontend/src/pages/TreeEditorPage.tsx
@@ -8,12 +8,14 @@ import { useTreeEditorStore, useTreeEditorTemporal } from '@/store/treeEditorSto
 import { TreeEditorLayout } from '@/components/tree-editor/TreeEditorLayout'
 import { ValidationSummary } from '@/components/tree-editor/ValidationSummary'
 import { useKeyboardShortcuts } from '@/hooks/useKeyboardShortcuts'
+import { usePermissions } from '@/hooks/usePermissions'
 import { cn } from '@/lib/utils'

 export function TreeEditorPage() {
  const { id } = useParams<{ id: string }>()
  const navigate = useNavigate()
  const isEditMode = !!id
+  const { canCreateTrees } = usePermissions()

  const {
    name,
@@ -75,8 +77,17 @@ export function TreeEditorPage() {
    }
  ])

+  // Permission guard: redirect viewers away from editor
+  useEffect(() => {
+    if (!canCreateTrees) {
+      navigate('/trees')
+    }
+  }, [canCreateTrees, navigate])
+
  // Initialize or load tree
  useEffect(() => {
+    if (!canCreateTrees) return
+
    const initialize = async () => {
      if (isEditMode) {
        setLoading(true)
@@ -102,7 +113,7 @@ export function TreeEditorPage() {
    return () => {
      reset()
    }
-  }, [id, isEditMode])
+  }, [id, isEditMode, canCreateTrees])

  // Handle unsaved changes warning
  useEffect(() => {