rbac-permissions-builder
RBAC/Permissions Builder
Implement flexible role-based access control systems.
Permission Matrix
// Define permissions
export enum Permission {
USER_READ = "user:read",
USER_WRITE = "user:write",
USER_DELETE = "user:delete",
POST_READ = "post:read",
POST_WRITE = "post:write",
ADMIN_ACCESS = "admin:access",
}
// Define roles
export const ROLE_PERMISSIONS = {
user: [Permission.USER_READ, Permission.POST_READ, Permission.POST_WRITE],
moderator: [...userPermissions, Permission.POST_DELETE],
admin: Object.values(Permission), // All permissions
};
// Check permission
export const hasPermission = (user: User, permission: Permission): boolean => {
return ROLE_PERMISSIONS[user.role]?.includes(permission) ?? false;
};
Route Guards (Express)
export const requirePermission = (...permissions: Permission[]) => {
return (req: Request, res: Response, next: NextFunction) => {
if (!req.user) {
return res.status(401).json({ error: "Unauthorized" });
}
const hasAllPermissions = permissions.every((p) =>
hasPermission(req.user, p)
);
if (!hasAllPermissions) {
return res.status(403).json({ error: "Forbidden" });
}
next();
};
};
// Usage
router.delete(
"/users/:id",
authenticate,
requirePermission(Permission.USER_DELETE),
controller.delete
);
Policy Pattern
// policies/user.policy.ts
export class UserPolicy {
static canUpdate(currentUser: User, targetUser: User): boolean {
// Users can update themselves
if (currentUser.id === targetUser.id) return true;
// Admins can update anyone
if (hasPermission(currentUser, Permission.USER_WRITE)) return true;
return false;
}
static canDelete(currentUser: User, targetUser: User): boolean {
// Can't delete yourself
if (currentUser.id === targetUser.id) return false;
// Only admins can delete
return hasPermission(currentUser, Permission.USER_DELETE);
}
}
// Usage in controller
if (!UserPolicy.canUpdate(req.user, targetUser)) {
return res.status(403).json({ error: "Cannot update this user" });
}
Resource Ownership
export const requireOwnership = (
getResourceUserId: (req: Request) => Promise<string>
) => {
return async (req: Request, res: Response, next: NextFunction) => {
const resourceUserId = await getResourceUserId(req);
// Owner can access
if (req.user.id === resourceUserId) {
return next();
}
// Admin can access anything
if (hasPermission(req.user, Permission.ADMIN_ACCESS)) {
return next();
}
return res.status(403).json({ error: "Forbidden" });
};
};
UI Permission Hints
// Return permissions with user
GET /api/me
{
"user": { ... },
"permissions": ["user:read", "post:write"]
}
// Frontend helper
export const usePermission = (permission: Permission): boolean => {
const { user } = useAuth();
return user?.permissions?.includes(permission) ?? false;
};
// Usage
{usePermission('user:delete') && <DeleteButton />}
Best Practices
- Define permissions granularly (resource:action)
- Check at multiple layers (route, controller, UI)
- Use policies for complex rules
- Cache permission checks
- Log permission denials
- Test all permission paths
Output Checklist
- Permission enum/constants
- Role-to-permission mapping
- Route guard middleware
- Policy classes for complex rules
- Ownership checking utilities
- Permission checking helpers
- UI permission hints endpoint
- Test cases for all permission paths
More from monkey1sai/openai-cli
multi-tenant-safety-checker
Ensures tenant isolation at query and policy level using Row Level Security, automated testing, and security audits. Prevents data leakage between tenants. Use for "multi-tenancy", "tenant isolation", "RLS", or "data security".
10modal-drawer-system
Implements accessible modals and drawers with focus trap, ESC to close, scroll lock, portal rendering, and ARIA attributes. Includes sample implementations for common use cases like edit forms, confirmations, and detail views. Use when building "modals", "dialogs", "drawers", "sidebars", or "overlays".
10eslint-prettier-config
Configures ESLint and Prettier for consistent code quality with TypeScript, React, and modern best practices. Use when users request "ESLint setup", "Prettier config", "linting configuration", "code formatting", or "lint rules".
9api-security-hardener
Hardens API security with rate limiting, input validation, authentication, and protection against common attacks. Use when users request "API security", "secure API", "rate limiting", "input validation", or "API protection".
9secure-headers-csp-builder
Implements security headers and Content Security Policy with safe rollout strategy (report-only → enforce), testing, and compatibility checks. Use for "security headers", "CSP", "HTTP headers", or "XSS protection".
9security-incident-playbook-generator
Creates response procedures for security incidents with containment steps, communication templates, and evidence collection. Use for "incident response", "security playbook", "breach response", or "IR plan".
9