**Problem:** Admin had users.create permission but couldn't use it due to workflow requiring superadmin-only /admin/roles endpoint.
**Solution:** Created scalable endpoint that adapts role selection to user's permission level.
**Changes:**
- NEW: GET /admin/roles/assignable endpoint with intelligent role filtering
- Superadmin: Returns all roles
- Admin: Returns admin, finance, non-elevated custom roles (excludes superadmin)
- Prevents privilege escalation via permission comparison
- UPDATED: InviteStaffDialog now uses /admin/roles/assignable
- Removed 403 fallback logic (no longer needed)
- Backend handles role filtering dynamically
- UPDATED: AdminStaff 'Invite Staff' button back to permission-based
- Changed from user.role === 'superadmin' to hasPermission('users.create')
- Both admin and superadmin can now invite staff with role restrictions
**Security:**
- ✅ Privilege escalation blocked (admin can't create superadmin)
- ✅ Custom roles filtered by permission comparison
- ✅ Multi-layer enforcement (frontend + backend)
**Files Modified:**
- backend/server.py (+94 lines)
- frontend/src/components/InviteStaffDialog.js (-14 lines)
- frontend/src/pages/admin/AdminStaff.js (1 line changed)
- RBAC_IMPLEMENTATION_FINAL.md (new documentation)
**Testing:**
- Superadmin can assign all roles including superadmin ✓
- Admin can assign admin and finance ✓
- Admin cannot see/assign superadmin ✓
- Custom role elevation detection working ✓
## New Endpoints
- **GET /admin/events/{event_id}**: Get single event details (admin)
- Allows viewing unpublished events
- Returns full event with RSVP count
## Enhanced Endpoints
- **PUT /admin/events/{event_id}/attendance**: Accept batch updates
- Add BatchAttendanceUpdate model for array of updates
- Support both single and bulk attendance marking
- Return count of updated records
- **GET /events**: Include user RSVP status in response
- Query current user's RSVP for each event
- Enable calendar color coding by status
- **GET /events/{event_id}**: Include user RSVP status
- Query current user's RSVP for event details
- Maintain consistency with list endpoint
## Bug Fixes
- **GET /members/event-activity**: Fix timezone comparison
- Add timezone-aware conversion for event.end_at
- Resolve "can't compare offset-naive and offset-aware" error
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
