Implement Role-Based Access Control (RBAC) #24
Description
Goal
Introduce a basic RBAC system in Evsy to manage user access levels (owner, admin, editor, viewer) across the app.
Roles and Permissions
| Role | Permissions |
|---|---|
owner |
Full access: everything, including user management and system settings |
admin |
Almost everything: create/edit all entities, access admin panel, but no user management |
editor |
Can create/edit/delete events, fields, tags, etc., but no access to admin panel or users |
viewer |
Read-only: can view events and other entities, but cannot modify anything |
Scope
- Add role field to the User model (Enum: owner, admin, editor, viewer)
- Include role info in the /me response and JWT claims
- Create a utility function has_permission(user, permission) or equivalent dependency
- Protect routes using role-based checks:
- User management → owner only
- Admin panel access → admin and owner
- Event/tag/field creation/editing/deletion → editor, admin, owner
- Read access → everyone
- On frontend, hide or disable buttons/components based on current user’s role (can be done as a separate stage)
Notes
- The goal is to secure the backend first; frontend can follow.
- Permissions can be defined as a Dict[Role, Set[str]] for clarity and reusability.
How to test
- Use seeded users with different roles
- Confirm access is granted or denied correctly for each API endpoint
- Try logging in as different roles and observing available UI options (once frontend is integrated)