Skip to content

Add Built-In Role-Based Access Control (RBAC) with Roles, Permissions, and Assignments #237

Open
Open
Add Built-In Role-Based Access Control (RBAC) with Roles, Permissions, and Assignments#237
Labels
enhancementNew feature or request
@null-ed

Description

@null-ed
null-ed
opened on Dec 1, 2025

Problem

The project currently lacks a reusable and structured RBAC (Role-Based Access Control) system, with the following issues:

  1. No Role model or user-role mapping
    Users cannot have multiple roles, and roles cannot share permissions in a reusable way.

  2. No standard way to define permissions
    There is no centralized permission list or front-end-friendly permission structure.

  3. No permission-checking mechanism
    Access control relies only on is_superuser or resource ownership, which is insufficient for enterprise multi-role, multi-admin systems.

  4. No API, dependencies, admin panel, or documentation for RBAC
    Teams must implement their own solutions, leading to duplication and inconsistency.

Proposal

Introduce a clean and extensible RBAC system without a database Permission model:

1. Permissions as Code Constants

Define all permissions centrally as code constants:

class PermissionNames:
    user = "user"
    user_create = f"{user}.create"
    user_delete = f"{user}.delete"

    book = "book"
    book_edit = f"{book}.edit"

Benefits:

  • Centralized and maintainable
  • No database table needed
  • Avoids duplicate or stale data
  • Adding new permissions only requires code changes

2. Permission Tree for Hierarchy and UI

Use a dedicated class PermissionNode to build hierarchical structures:

PermissionNode(
    name=PermissionNames.user,
    children=[
        PermissionNode(name=PermissionNames.user_create),
        PermissionNode(name=PermissionNames.user_delete),
    ]
)

Purpose:

  • Render permission tree in admin/front-end UI
  • Allow administrators to select permissions
  • Single source of truth for permission hierarchy

3. Data Models (Simplified)

  • roles: id, name, description, timestamps
  • role_permission: role_id, permission_name (string constant)
  • user_role: user_id, role_id

No separate Permission model is needed, keeping the database simple.

4. API / CRUD

Provide standard endpoints:

  • Create/update/delete roles
  • Assign/remove permissions to roles (string constants)
  • Assign/remove roles to users
  • Query a user’s effective permissions

5. Permission Checks

Use FastAPI dependencies:

require_permissions(PermissionNames.user_create,PermissionNames.user_delete)

Logic:

  • Aggregate permissions from all roles assigned to the user
  • Superusers bypass checks
  • Supports any/all permission modes

6. Admin Panel Integration

  • Role management UI includes permission assignment
  • Permission tree automatically rendered from PermissionNode hierarchy

7. Documentation and Testing

  • Document how to define permissions, build the permission tree, and protect endpoints
  • Test role assignment and permission checks

📌 Summary

Problem: The project lacks RBAC, making role management and permission control difficult.
Proposal: Add Role, UserRole, and RolePermission models; define permissions as code constants with a hierarchical tree; implement require_permission checks; provide complete API, admin UI, docs, and tests.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions