flowfuse icon indicating copy to clipboard operation
flowfuse copied to clipboard
verified publisher icon FlowFuse

Granular RBAC: remove hasALowerOrEqualTeamRoleThan and hasAMinimumTeamRoleOf composables

Open knolleary opened this issue 3 months ago • 2 comments

Description

The permissions composable exposes:

  • hasPermission
  • hasAMinimumTeamRoleOf
  • hasALowerOrEqualTeamRoleThan

as permissions check utilities.

The latter two don't make use of the permissions model; they encourage hardcoded choices in the front-end code regarding what role is allowed to do something.

Those functions should be removed in favour of hasPermission with the appropriate permissions added to forge/lib/permissions.js.

@cstns WDYT?

Epic/Story

No response

Have you provided an initial effort estimate for this issue?

I have provided an initial effort estimate

knolleary avatar Sep 11 '25 14:09 knolleary

I added those checks for semantic purposes only. They don’t add new logic, they just let us write things more clearly in the frontend, the goal was to simplify the code and keep it readable, while still ensuring admin access checks are handled.

It’s true they bypass the permissions model, but they still rely on the same roles that the permissions themselves are based on.

This distinction only makes sense on the frontend, where we need role-based differentiation. The backend only cares about permissions, not roles.

otherwise the syntax would have been:

<component v-if="isVisitingAdmin || (Roles.owner > teamMembership.role") .../>

cstns avatar Sep 11 '25 14:09 cstns

Do they impede applications RBAC?

cstns avatar Sep 11 '25 14:09 cstns