Role-Based Access Control (RBAC) System
This skill provides guidelines and patterns for working with the application's RBAC system. It covers the database schema, security patterns, and API implementation standards.
Core Components
Database Schema
The system uses Role, Permission, and RoleAuditLog models in Prisma. Users are assigned a single Role.
See references/schema.md for details.
API Security
All protected routes must use the checkPermission utility.
See references/api-patterns.md for implementation patterns including:
- •Security Middleware usage
- •Transactional updates with auditing
- •Validation logic
Quick Start Checklist
When implementing a new admin feature:
- •Define Permissions: Does the feature need a new permission (e.g.,
reports:view)?- •If yes, add it to the
Permissiontable via migration or seed.
- •If yes, add it to the
- •Protect the API:
- •Import
checkPermission. - •Call
await checkPermission('required:action')at the start of the route.
- •Import
- •Validate Inputs:
- •Use Zod schemas for request bodies.
- •Audit Changes:
- •If modifying data (CREATE/UPDATE/DELETE), use
prisma.$transaction. - •Create a
RoleAuditLogentry (or similar audit log if extending beyond roles).
- •If modifying data (CREATE/UPDATE/DELETE), use
Common Tasks
Checking Permissions in API
typescript
const { authorized } = await checkPermission('roles:view');
if (!authorized) return NextResponse.json({ error: 'Unauthorized' }, { status: 403 });
Accessing User Info
The checkPermission function returns the authenticated user:
typescript
const { user } = await checkPermission('roles:manage');
console.log('Action performed by:', user.id);