Skip to content

Add Built-In Role-Based Access Control (RBAC) with Roles, Permissions, and Assignments #237

Open
Open
Add Built-In Role-Based Access Control (RBAC) with Roles, Permissions, and Assignments#237
Labels
enhancementNew feature or request
@null-ed

Description

@null-ed
null-ed
opened on Dec 1, 2025

Problem

The project currently lacks a reusable and structured RBAC (Role-Based Access Control) system, with the following issues:

  1. No Role model or user-role mapping
    Users cannot have multiple roles, and roles cannot share permissions in a reusable way.

  2. No standard way to define permissions
    There is no centralized permission list or front-end-friendly permission structure.

  3. No permission-checking mechanism
    Access control relies only on is_superuser or resource ownership, which is insufficient for enterprise multi-role, multi-admin systems.

  4. No API, dependencies, admin panel, or documentation for RBAC
    Teams must implement their own solutions, leading to duplication and inconsistency.

Proposal

Introduce a clean and extensible RBAC system without a database Permission model:

1. Permissions as Code Constants

Define all permissions centrally as code constants:

class PermissionNames:
    user = "user"
    user_create = f"{user}.create"
    user_delete = f"{user}.delete"

    book = "book"
    book_edit = f"{book}.edit"

Benefits:

  • Centralized and maintainable
  • No database table needed
  • Avoids duplicate or stale data
  • Adding new permissions only requires code changes

2. Permission Tree for Hierarchy and UI

Use a dedicated class PermissionNode to build hierarchical structures:

PermissionNode(
    name=PermissionNames.user,
    children=[
        PermissionNode(name=PermissionNames.user_create),
        PermissionNode(name=PermissionNames.user_delete),
    ]
)

Purpose:

  • Render permission tree in admin/front-end UI
  • Allow administrators to select permissions
  • Single source of truth for permission hierarchy

3. Data Models (Simplified)

  • roles: id, name, description, timestamps
  • role_permission: role_id, permission_name (string constant)
  • user_role: user_id, role_id

No separate Permission model is needed, keeping the database simple.

4. API / CRUD

Provide standard endpoints:

  • Create/update/delete roles
  • Assign/remove permissions to roles (string constants)
  • Assign/remove roles to users
  • Query a user’s effective permissions

5. Permission Checks

Use FastAPI dependencies:

require_permissions(PermissionNames.user_create,PermissionNames.user_delete)

Logic:

  • Aggregate permissions from all roles assigned to the user
  • Superusers bypass checks
  • Supports any/all permission modes

6. Admin Panel Integration

  • Role management UI includes permission assignment
  • Permission tree automatically rendered from PermissionNode hierarchy

7. Documentation and Testing

  • Document how to define permissions, build the permission tree, and protect endpoints
  • Test role assignment and permission checks

📌 Summary

Problem: The project lacks RBAC, making role management and permission control difficult.
Proposal: Add Role, UserRole, and RolePermission models; define permissions as code constants with a hierarchical tree; implement require_permission checks; provide complete API, admin UI, docs, and tests.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions