fix(auth)!: implement proper RBAC with role-permission checking
BREAKING CHANGE: Authorization now requires role_permissions table Previously checked only if permission existed, now verifies user's role has been granted the permission. Closes critical security gap allowing any user to access any resource. - feat: add role_permissions table schema - feat: add GetPermissionByResourceActionAndRole repository method - fix: update Authorize to check user role before granting access - fix: update cache keys to include roleID - test: update all tests for new authorization flow
This commit is contained in:
@@ -11,6 +11,13 @@ type Permission struct {
|
||||
Action string `json:"action" db:"action"`
|
||||
}
|
||||
|
||||
// RolePermission represents the junction table linking roles to permissions
|
||||
type RolePermission struct {
|
||||
ID int `json:"id" db:"id"`
|
||||
RoleID int `json:"role_id" db:"role_id"`
|
||||
PermissionID int `json:"permission_id" db:"permission_id"`
|
||||
}
|
||||
|
||||
// PolicyAttribute represents an ABAC policy attribute/constraint
|
||||
type PolicyAttribute struct {
|
||||
ID int `json:"id" db:"id"`
|
||||
|
||||
Reference in New Issue
Block a user