Skip to content

docs: Add comprehensive RBAC API documentation (#140) #160

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Nov 15, 2025
Merged

docs: Add comprehensive RBAC API documentation (#140) #160

merged 5 commits into from
Nov 15, 2025
+2,831 −2

Conversation

@kevalyq
Copy link
Contributor

@kevalyq kevalyq commented Nov 15, 2025

Summary

Adds complete RBAC API documentation as required by Issue #140.

Changes

New Documentation Files

  1. docs/api/rbac-endpoints.md (~1000 lines)

    • Complete API reference for 16 RBAC endpoints
    • 4 functional areas: Role Assignment, Role Management, Permission Management, Direct Permissions
    • cURL and JavaScript examples for each endpoint
    • Error responses, rate limiting, pagination

  2. docs/guides/role-management.md (~900 lines)

    • Guide for creating and managing roles
    • Predefined roles (Admin, Manager, Guard, Client, Works Council)
    • Custom role creation workflow
    • Temporal role assignments with examples
    • Best practices and troubleshooting

  3. docs/guides/permission-system.md (~900 lines)

    • Permission naming convention (resource.action)
    • Resource organization by functional area
    • Permission matrix for all predefined roles
    • Custom permission creation guide
    • Best practices and examples

Quality Gates

  • Markdownlint: All files pass (MD029, MD036 violations fixed)
  • REUSE Compliance: All files have SPDX headers
  • Domain Policy: Correct API URLs (api.secpal.app/v1)
  • PHPStan Level Max: No errors
  • Laravel Pint: Code style compliant
  • Tests: 270 passing

PR Size

⚠️ Large PR Override: 2826 lines (exceeds 600 line limit)

Justification: Complete API documentation requires all 3 files together for coherence. Splitting would break the interconnected references between files.

Part of

Checklist

  • All files include SPDX headers
  • Markdownlint clean
  • API URLs corrected (removed redundant /api/)
  • Cross-references between docs validated
  • Examples tested (cURL syntax)
  • Preflight checks passed
  • Conventional commit message

Review Notes

Focus areas for review:

  1. API endpoint accuracy (compare with routes/api.php)
  2. Permission matrix completeness (compare with rbac-architecture.md)
  3. Example code correctness (cURL/JS syntax)
  4. Internal link validity

Total Changes: +2826 lines (3 new files)
No breaking changes

@kevalyq
docs: Add comprehensive RBAC API documentation (#140)
6908e95 
- Add complete API reference (docs/api/rbac-endpoints.md)
  - 16 endpoints across 4 functional areas
  - cURL and JavaScript examples for each endpoint
  - Error responses and troubleshooting

- Add role management guide (docs/guides/role-management.md)
  - Predefined roles (Admin, Manager, Guard, Client, Works Council)
  - Custom role creation workflow
  - Temporal role assignments
  - Best practices and examples

- Add permission system guide (docs/guides/permission-system.md)
  - Permission naming convention (resource.action)
  - Resource organization by domain
  - Permission matrix for all predefined roles
  - Custom permission creation

All files:
- Include SPDX headers (REUSE compliant)
- Markdownlint clean (MD029, MD036 fixed)
- Correct API URLs (api.secpal.app/v1)

Part of RBAC Phase 4 Epic (#108)
Closes #140
Copilot AI review requested due to automatic review settings November 15, 2025 09:48
@github-actions
Copy link

github-actions bot commented Nov 15, 2025

💡 Tip: Consider Using Draft PRs

Benefits of opening PRs as drafts initially:

  • 💰 Saves CI runtime and Copilot review credits
  • 🎯 Automatically sets linked issues to "🚧 In Progress" status
  • 🚀 Mark "Ready for review" when done to trigger full CI pipeline

How to convert:

  1. Click "Still in progress? Convert to draft" in the sidebar, OR
  2. Use gh pr ready when ready for review

This is just a friendly reminder - feel free to continue as is! 😊

@kevalyq kevalyq added the large-pr-approved Legitimate large PR (e.g., boilerplate templates, auto-generated code) label Nov 15, 2025
Copilot finished reviewing on behalf of kevalyq November 15, 2025 09:52
Copilot AI reviewed Nov 15, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds comprehensive RBAC API documentation consisting of three new documentation files totaling ~2,800 lines. The documentation covers all 16 RBAC endpoints across four functional areas: Role Assignment, Role Management, Permission Management, and Direct Permissions. Each endpoint includes detailed request/response examples, error handling, and both cURL and JavaScript code samples.

Key Changes:

  • Complete API endpoint reference with authentication, parameters, and error responses
  • Detailed guides for role management including predefined roles and custom role creation
  • Permission system documentation explaining naming conventions, organization, and matrices for all predefined roles

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 22 comments.

File Description
docs/api/rbac-endpoints.md Complete API reference for 16 RBAC endpoints with examples and error responses
docs/guides/role-management.md Comprehensive guide for creating, assigning, and managing roles including temporal assignments
docs/guides/permission-system.md Permission naming conventions, resource organization, and permission matrices for predefined roles

Critical Issues Found:

The documentation contains systematic inconsistencies with the actual codebase:

  1. Permission Naming Mismatch: Documentation uses plural forms (roles.assign, roles.read, permissions.create) but the routes file uses singular forms (role.assign, role.read). This affects approximately 19 locations across all three files.

  2. Missing Authorization Middleware: Documentation claims many endpoints require specific permissions (e.g., roles.create, permissions.update), but the actual routes in routes/api.php lines 49-61 and 74-77 have no permission middleware - only auth:sanctum. This affects 12 endpoints.

  3. Endpoint Path Notation: Inconsistent use of /api/v1/... in endpoint descriptions versus /v1/... in cURL examples and base URL definition.

These issues suggest either the documentation is aspirational (describing planned authorization), or the routes are missing critical authorization middleware that should be implemented.

@kevalyq kevalyq mentioned this pull request Nov 15, 2025
Closed
5 tasks
@kevalyq
docs: Address Copilot review findings - fix permission names and auth…
5fea381 
…orization descriptions

- Fix permission naming: roles.* → role.*, permissions.* → permission.* (consistency with Phase 3)
- Update authorization descriptions for Phase 4 endpoints to reflect controller-level Policy authorization
- Add reference to Issue #161 for planned route-level middleware implementation
- Fix URL notation: /api/v1/ → /v1/ (correct pattern without redundant /api/)
- Update GUARD_ARCHITECTURE.md examples to use correct permission names

Addresses 22 review comments from Copilot in PR #160
Related: #140, #161
@kevalyq kevalyq requested a review from Copilot November 15, 2025 10:18
Copilot finished reviewing on behalf of kevalyq November 15, 2025 10:23
Copilot AI reviewed Nov 15, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

@kevalyq
docs: Fix reports permission naming (reports.read → reports.view)
9167d8a 
Corrected permission name inconsistency in permission-system.md:
- Line 82 (Core Resources table): reports.read → reports.view
- Line 167 (Manager Role): reports.read → reports.view
- Line 207 (Client Role): reports.read → reports.view
- Lines 566-586 (Example 2): reports.read → reports.view

These changes align documentation with actual permission names
defined in RolesAndPermissionsSeeder.php where reports resource
uses 'view' action instead of 'read' action.

Addresses 3 new Copilot review comments on commit 5fea381.

Related to #140
@kevalyq
fix(docs): correct RBAC permission names in documentation
286f268 
- Fix permission name in role-management.md (role.* -> roles.*)
- Add clarifying comments to routes/api.php about authorization
- Document that authorization is handled by Policies, not middleware

The RBAC routes correctly use Policy-based authorization via Gate::authorize()
in the controllers. Copilot review comments were about missing middleware, but
the actual implementation uses Policies which check the correct permissions:
- RoleManagementPolicy checks roles.create/read/update/delete
- PermissionManagementPolicy checks permissions.create/read/update/delete
- UserPermissionPolicy checks Admin role for assignment/revocation

Fixes Copilot review comments in PR #160 regarding authorization.

Related: #140
@kevalyq
chore: trigger GitHub PR update
801c5c0
@kevalyq kevalyq merged commit fe3fe05 into main Nov 15, 2025
16 checks passed
@kevalyq kevalyq deleted the docs/issue-140-rbac-api-documentation branch November 15, 2025 11:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

large-pr-approved Legitimate large PR (e.g., boilerplate templates, auto-generated code)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

RBAC API Documentation (Phase 4)

2 participants

@kevalyq