Skip to content

RBAC Phase 3: API Endpoints & Authorization Policies #107

New issue
New issue
Closed
#121
Closed
RBAC Phase 3: API Endpoints & Authorization Policies#107
#121
Labels
component: apiphase: 3type: feature
@kevalyq

Description

@kevalyq
kevalyq
opened on Nov 8, 2025

Phase 3 Overview

Build API endpoints for role management with temporal parameters and implement authorization policies.

Tasks

  • Create API endpoints for role management
    • POST /api/v1/users/{id}/roles - Assign role with temporal params
    • GET /api/v1/users/{id}/roles - List roles with expiry info
    • DELETE /api/v1/users/{id}/roles/{role} - Revoke role
    • PATCH /api/v1/users/{id}/roles/{role}/extend - Extend expiration
  • Create RoleController with request validation
    • Validate valid_from < valid_until
    • Validate user has permission to assign role
    • Validate temporal constraints (max duration, etc.)
  • Create form requests
    • AssignRoleRequest - validate temporal parameters
    • ExtendRoleRequest - validate extension limits
  • Implement authorization policies
    • EmployeePolicy - who can view/edit employees
    • ShiftPlanPolicy - who can create/approve plans
    • RolePolicy - who can assign/revoke roles
  • Apply middleware to API routes
    • auth:sanctum for authentication
    • permission: middleware for authorization
  • Write feature tests for all endpoints
    • Role assignment with temporal params
    • Role listing with expiry dates
    • Role extension authorization
    • Policy enforcement validation

Acceptance Criteria

  • All API endpoints implemented and documented
  • Request validation prevents invalid temporal assignments
  • Authorization policies enforce RBAC rules
  • Middleware applied to all protected routes
  • Feature tests achieve >80% coverage
  • API documentation updated in OpenAPI spec
  • Postman collection updated with examples

API Examples

Assign Temporary Role:

POST /api/v1/users/123/roles
{
  "role": "manager",
  "valid_from": "2025-12-01T00:00:00Z",
  "valid_until": "2025-12-14T23:59:59Z",
  "auto_revoke": true,
  "reason": "Vacation coverage for Manager A"
}

Extend Role Expiration:

PATCH /api/v1/users/123/roles/manager/extend
{
  "valid_until": "2025-12-21T23:59:59Z",
  "reason": "Extended vacation period"
}

Reference

Estimated Time

  • Estimate: 2 days
  • Actual: TBD

Metadata

Metadata

Assignees

No one assigned

    Labels

    component: apiphase: 3type: feature

    Type

    No type

    Projects

    SecPal Roadmap

    Status

    ✅ Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions