andika/membership-be
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Implement Option 3 - Proper RBAC with role-based staff invitations #22

Merged
andika merged 1 commits from dev into loaf-prod 2026-01-06 08:35:09 +00:00
Conversation 0 Commits 1 Files Changed 1 +95
andika commented 2026-01-06 08:35:00 +00:00
Owner
Copy Link

Problem: Admin had users.create permission but couldn't use it due to workflow requiring superadmin-only /admin/roles endpoint.

Solution: Created scalable endpoint that adapts role selection to user's permission level.

Changes:

  • NEW: GET /admin/roles/assignable endpoint with intelligent role filtering

    • Superadmin: Returns all roles
    • Admin: Returns admin, finance, non-elevated custom roles (excludes superadmin)
    • Prevents privilege escalation via permission comparison

  • UPDATED: InviteStaffDialog now uses /admin/roles/assignable

    • Removed 403 fallback logic (no longer needed)
    • Backend handles role filtering dynamically

  • UPDATED: AdminStaff 'Invite Staff' button back to permission-based

    • Changed from user.role === 'superadmin' to hasPermission('users.create')
    • Both admin and superadmin can now invite staff with role restrictions

Security:

  • Privilege escalation blocked (admin can't create superadmin)
  • Custom roles filtered by permission comparison
  • Multi-layer enforcement (frontend + backend)

Files Modified:

  • backend/server.py (+94 lines)
  • frontend/src/components/InviteStaffDialog.js (-14 lines)
  • frontend/src/pages/admin/AdminStaff.js (1 line changed)
  • RBAC_IMPLEMENTATION_FINAL.md (new documentation)

Testing:

  • Superadmin can assign all roles including superadmin ✓
  • Admin can assign admin and finance ✓
  • Admin cannot see/assign superadmin ✓
  • Custom role elevation detection working ✓
**Problem:** Admin had users.create permission but couldn't use it due to workflow requiring superadmin-only /admin/roles endpoint. **Solution:** Created scalable endpoint that adapts role selection to user's permission level. **Changes:** - NEW: GET /admin/roles/assignable endpoint with intelligent role filtering - Superadmin: Returns all roles - Admin: Returns admin, finance, non-elevated custom roles (excludes superadmin) - Prevents privilege escalation via permission comparison - UPDATED: InviteStaffDialog now uses /admin/roles/assignable - Removed 403 fallback logic (no longer needed) - Backend handles role filtering dynamically - UPDATED: AdminStaff 'Invite Staff' button back to permission-based - Changed from user.role === 'superadmin' to hasPermission('users.create') - Both admin and superadmin can now invite staff with role restrictions **Security:** - ✅ Privilege escalation blocked (admin can't create superadmin) - ✅ Custom roles filtered by permission comparison - ✅ Multi-layer enforcement (frontend + backend) **Files Modified:** - backend/server.py (+94 lines) - frontend/src/components/InviteStaffDialog.js (-14 lines) - frontend/src/pages/admin/AdminStaff.js (1 line changed) - RBAC_IMPLEMENTATION_FINAL.md (new documentation) **Testing:** - Superadmin can assign all roles including superadmin ✓ - Admin can assign admin and finance ✓ - Admin cannot see/assign superadmin ✓ - Custom role elevation detection working ✓
andika added 1 commit 2026-01-06 08:35:01 +00:00
feat: Implement Option 3 - Proper RBAC with role-based staff invitations 810366d00f 
**Problem:** Admin had users.create permission but couldn't use it due to workflow requiring superadmin-only /admin/roles endpoint.

**Solution:** Created scalable endpoint that adapts role selection to user's permission level.

**Changes:**
- NEW: GET /admin/roles/assignable endpoint with intelligent role filtering
  - Superadmin: Returns all roles
  - Admin: Returns admin, finance, non-elevated custom roles (excludes superadmin)
  - Prevents privilege escalation via permission comparison

- UPDATED: InviteStaffDialog now uses /admin/roles/assignable
  - Removed 403 fallback logic (no longer needed)
  - Backend handles role filtering dynamically

- UPDATED: AdminStaff 'Invite Staff' button back to permission-based
  - Changed from user.role === 'superadmin' to hasPermission('users.create')
  - Both admin and superadmin can now invite staff with role restrictions

**Security:**
-  Privilege escalation blocked (admin can't create superadmin)
-  Custom roles filtered by permission comparison
-  Multi-layer enforcement (frontend + backend)

**Files Modified:**
- backend/server.py (+94 lines)
- frontend/src/components/InviteStaffDialog.js (-14 lines)
- frontend/src/pages/admin/AdminStaff.js (1 line changed)
- RBAC_IMPLEMENTATION_FINAL.md (new documentation)

**Testing:**
- Superadmin can assign all roles including superadmin ✓
- Admin can assign admin and finance ✓
- Admin cannot see/assign superadmin ✓
- Custom role elevation detection working ✓
andika merged commit f915976cb3 into loaf-prod 2026-01-06 08:35:09 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
kayela andika
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: andika/membership-be#22
Delete Branch "dev"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?