Summary
Add a role-based access control (RBAC) system with three built-in roles (superuser, admin, member) and a fine-grained permission model. Superusers bypass all permission checks (Django semantics), admins receive explicit permissions, and members access only their own resources.
Requirements
- Define a
RoleName enum with superuser, admin, and member roles
- Implement
UserRole, Permission, and RolePermission database models
- Add an RBAC service layer (
assign_role, remove_role, has_permission, is_superuser)
- Add reusable FastAPI dependencies:
require_role(), require_permission(), require_superuser
- Add admin-only endpoints at
/api/v1/admin/ (list users, user detail, assign role, deactivate user)
- Update
/api/v1/user/me to return the user's roles
- Add CLI commands:
--role flag on create-user, assign-role, seed-rbac
- Seed default permissions (
users:list, users:read, users:manage, users:assign_role, plugins:manage) assigned to the admin role
- Remove the deprecated
is_superuser boolean column from the User model
- Ensure superuser privileges are enforced across all protected API endpoints
Implementation
Tracked in PR #283.
Summary
Add a role-based access control (RBAC) system with three built-in roles (
superuser,admin,member) and a fine-grained permission model. Superusers bypass all permission checks (Django semantics), admins receive explicit permissions, and members access only their own resources.Requirements
RoleNameenum withsuperuser,admin, andmemberrolesUserRole,Permission, andRolePermissiondatabase modelsassign_role,remove_role,has_permission,is_superuser)require_role(),require_permission(),require_superuser/api/v1/admin/(list users, user detail, assign role, deactivate user)/api/v1/user/meto return the user's roles--roleflag oncreate-user,assign-role,seed-rbacusers:list,users:read,users:manage,users:assign_role,plugins:manage) assigned to the admin roleis_superuserboolean column from the User modelImplementation
Tracked in PR #283.